From clbianco at tiscalinet.it Fri Apr 1 09:31:35 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Fri Apr 1 09:29:05 2005 Subject: The PATH problem (was Re: Libcurl) References: <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> <20050322225702.GE26177@jabberwocky.com> <20050323141118.GG26177@jabberwocky.com> <20050325045012.GA13390__34035.1133062088$1111726840$gmane$org@jabberwocky.com> <20050331164903.GA7849__16631.707098759$1112288359$gmane$org@jabberwocky.com> Message-ID: Il /31 mar 2005/, *David Shaw* ha scritto: [...] >> > Can you try this patch? >> >> Of course! I have tried and it seems it is working OK! > > Excellent. Thanks for testing. Not at all, David. I am always glad to be helpful. > I've put the fix in for 1.4.2. Excellent. Thanks for fixing! ;-) -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From twoaday at gmx.net Fri Apr 1 09:50:14 2005 From: twoaday at gmx.net (Timo Schulz) Date: Fri Apr 1 09:51:46 2005 Subject: WinPT error on win95 In-Reply-To: <200503301623.SAA00667@vulcan.xs4all.nl> References: <200503301623.SAA00667@vulcan.xs4all.nl> Message-ID: <424CFD36.9070202@gmx.net> Johan Wevers wrote: > machine, GnuPG worked fine but WinPT gave the error that WS_32.dll > was missing. Can I just copy that file from a newer windows version? Yes. I also did it in the past. It works. > Is win95 supported at all? Do you ask if WinPT still supports W95? Not really. It works without any problems but I won't add any W95 specific code. A company which name I forgot even stopped to maintain W98 so I don't see a reason to support W95. And on the other hand I don't think _much_ people still use it. Timo From peter.smilde at smilde-becker.net Fri Apr 1 13:57:51 2005 From: peter.smilde at smilde-becker.net (Peter L. Smilde) Date: Fri Apr 1 13:54:02 2005 Subject: OpenPGP smartcard with offline primary key Message-ID: <424D373F.1010003@smilde-becker.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Another question araised while testing my new OpenPGP smartcard: I have an offline keysigning key and would like to add a signing and an encryption key to it for online use, with the secret parts of the last two on the smartcard. So I performed all step as described in the "OpenPGP smartcard HOWTO", section "Advanced features", subsection "Using the card only for subkeys". At the final stage of that subsection, I have the secret signing and encryption key on the smartcard and I have a secret keyring containing the secret (primary) keysigning key plus the two stubs for the secret subkeys on the smartcard. This is OK for the offline secret keyring. But my online secret keyring shouldn't contain the secret primary keysigning key (as before). Removing the complete secret key (primary plus subkey stubs) from my only keyring is not possible, because then I can't sign or decrypt with my smartcard keys anymore. My question: how do I get rid of my secret primary keysigning key while still being able to use my secret signing and encrytion subkeys from the smartcard? Thanks, - -- Peter L. Smilde Finther Strasse 6, D-55257 Budenheim, Germany Tel: +49 6139 5325, Fax: +49 721 151517676 E-Mail: peter.smilde@smilde-becker.net, OpenPGP Key: 0xB0E4BF99 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCTTc/FCtQzrDkv5kRAu/bAKC5LLlTvFW0BSgXosbtbsI/5rB6LQCgqDZH ULnuLjUvbgLEyaQE6BABq2c= =KLcQ -----END PGP SIGNATURE----- From jan at gondor.com Fri Apr 1 14:09:15 2005 From: jan at gondor.com (Jan Niehusmann) Date: Fri Apr 1 14:39:45 2005 Subject: OpenPGP smartcard with offline primary key In-Reply-To: <424D373F.1010003@smilde-becker.net> References: <424D373F.1010003@smilde-becker.net> Message-ID: <20050401120915.GA10365@gondor.com> On Fri, Apr 01, 2005 at 01:57:51PM +0200, Peter L. Smilde wrote: > This is OK for the offline secret keyring. But my online secret keyring > shouldn't contain the secret primary keysigning key (as before). Isn't this exactly the approach described in the thread "Clarification on purpose of subordinate keys" two days ago? There was a very nice step-by-step description posted by Dirk Traulsen. Yours, Jan From peter.smilde at smilde-becker.net Fri Apr 1 15:13:00 2005 From: peter.smilde at smilde-becker.net (Peter L. Smilde) Date: Fri Apr 1 15:08:56 2005 Subject: OpenPGP smartcard with offline primary key In-Reply-To: <20050401120915.GA10365@gondor.com> References: <424D373F.1010003@smilde-becker.net> <20050401120915.GA10365@gondor.com> Message-ID: <424D48DC.9030409@smilde-becker.net> Jan Niehusmann schrieb: > Isn't this exactly the approach described in the thread "Clarification > on purpose of subordinate keys" two days ago? There was a very nice > step-by-step description posted by Dirk Traulsen. You're right. I already knew the "purpose", but the thread clarified this special configuration too! Thanks, -- Peter L. Smilde From huehn-ml at arcor.de Fri Apr 1 15:23:06 2005 From: huehn-ml at arcor.de (Thomas =?iso-8859-15?q?H=FChn?=) Date: Fri Apr 1 17:29:45 2005 Subject: OpenPGP smartcard with offline primary key In-Reply-To: <424D373F.1010003@smilde-becker.net> References: <424D373F.1010003@smilde-becker.net> Message-ID: <200504011523.06388.huehn-ml@arcor.de> Am Freitag 01 April 2005 13:57 schrieb Peter L. Smilde: > "OpenPGP smartcard HOWTO", section "Advanced features", subsection > "Using the card only for subkeys". I think I have missed that mail. Could someone mail it to me, please? Or is it a web site? Google doesn't know about it. Thomas From jan at gondor.com Fri Apr 1 18:00:59 2005 From: jan at gondor.com (Jan Niehusmann) Date: Fri Apr 1 17:57:19 2005 Subject: OpenPGP smartcard with offline primary key In-Reply-To: <200504011523.06388.huehn-ml@arcor.de> References: <424D373F.1010003@smilde-becker.net> <200504011523.06388.huehn-ml@arcor.de> Message-ID: <20050401160059.GA18920@gondor.com> On Fri, Apr 01, 2005 at 03:23:06PM +0200, Thomas H?hn wrote: > I think I have missed that mail. Could someone mail it to me, please? > > Or is it a web site? Google doesn't know about it. http://www.kernelconcepts.de/products/Smartcard-HOWTO.txt From archimedes at infinito.it Fri Apr 1 18:33:13 2005 From: archimedes at infinito.it (archimedes@infinito.it) Date: Fri Apr 1 18:29:43 2005 Subject: key capabilities usage meanings Message-ID: What is the meaning of usage/capabilities listings for keys(shown, for example, during edit-keys interactive sessions)? S -> sign E -> encrypt C -> ? A -> ? looking at doc/DETAILS I found C -> certification A -> authentication But I dont' understand the difference between certification, authentication and signing. I have different keys, each for a different internet "personality", and I noticed that one primary key is listed as CSA and another CS. The two keys were generated with the same options (DSA for signing +ElGamal subkey for pubkey encryption), so why this difference? Another question: I read in manpage that MDC is enabled by default with newer ciphers(blocksize>64bit) and with CAST5. So why when you decipher a symmetrically encrypted message you get "WARNING: message was not integrity protected" and only with --force-mdc the warning goes away? -- Archimedes OpenPGP public key available trough keyservers, ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Always check key fingerprints! _______________________________________ Connessione ed e-mail gratuita da 10 mb consultabile tramite web e tramite pop. www.infinito.it vieni a scoprire tutti i nostri servizi! http://www.infinito.it/xmail From dshaw at jabberwocky.com Fri Apr 1 19:00:34 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Apr 1 18:57:16 2005 Subject: key capabilities usage meanings In-Reply-To: References: Message-ID: <20050401170034.GB11879@jabberwocky.com> On Fri, Apr 01, 2005 at 06:33:13PM +0200, archimedes@infinito.it wrote: > What is the meaning of usage/capabilities listings for > keys(shown, for > example, during edit-keys interactive sessions)? > S -> sign > E -> encrypt > C -> ? > A -> ? > looking at doc/DETAILS I found > C -> certification > A -> authentication > > But I dont' understand the difference between certification, > authentication and signing. I have different keys, each for a > different internet "personality", and I noticed that one primary key > is listed as CSA and another CS. The two keys were generated with > the same options (DSA for signing +ElGamal subkey for pubkey > encryption), so why this difference? Probably they were generated with two different versions of GnuPG. The "A" authentication type is fairly recentl. Signing is signing data (i.e. gpg --sign the_file) Certification is signing a key (i.e. gpg --sign-key the_key) Authentication is signing a challenge (like ssh does). The Authentication stuff can be used to log in to a machine using your GPG key. The signature math is the same however you do it. The key usage flags are just to classify things. > Another question: I read in manpage that MDC is enabled by default > with newer ciphers(blocksize>64bit) and with CAST5. So why when you > decipher a symmetrically encrypted message you get "WARNING: message > was not integrity protected" and only with --force-mdc the warning > goes away? Not with CAST5. CAST5 has a blocksize of 64 bits. David From minnesotan at runbox.com Fri Apr 1 21:03:56 2005 From: minnesotan at runbox.com (Randy Burns) Date: Fri Apr 1 21:00:59 2005 Subject: WinPT error on win95 In-Reply-To: <424CFD36.9070202@gmx.net> Message-ID: <20050401190356.85004.qmail@web204.biz.mail.re2.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > Johan Wevers wrote: > > > machine, GnuPG worked fine but WinPT gave the error that WS_32.dll > > was missing. Can I just copy that file from a newer windows version? > > Yes. I also did it in the past. It works. > > > > Is win95 supported at all? > > Do you ask if WinPT still supports W95? Not really. It works without > any problems but I won't add any W95 specific code. A company which > name I forgot even stopped to maintain W98 so I don't see a reason > to support W95. And on the other hand I don't think _much_ people > still use it. > > > Timo > Microsoft retreated later on W98: See: Windows 98 gets support reprieve by Staff, ZDNet Australia January 12, 2004, 10:45 GMT http://news.zdnet.co.uk/0,39020330,39119028,00.htm > Although support for the older operating systems was due to end > shortly, Microsoft has announced that it will be extended > > Microsoft has extended support for Windows 98, Windows 98 SE and > Windows ME. > > The software giant has extended support for the operating systems > until 30 June, 2006. During that time paid over-the-phone support > will be available, and "critical" security issues will be > reviewed and "appropriate steps" taken. > > [...] > > The support expiration dates for all three of the older operating > systems was made the same in the interests of clarity, he said. > > "We made the decision to also lengthen support for Windows 98 and > Windows ME customers through the same date in order to provide a > clear and consistent date for support conclusion for all of these > older products," Beck explained. > > [...] All the best, Randy -----BEGIN PGP SIGNATURE----- Comment: Public Keys: www.geocities.com/burns98/pgp iD8DBQFCTZqJO1wFkBRYxW8RA0BcAJsEfDd9o/GY96PxP7euL96wE2C0RQCgwPEs RbHmTJCWWHNaAK+SoBx9PYE= =ndiw -----END PGP SIGNATURE----- From GAbimbola at Columbus.gov Fri Apr 1 21:23:24 2005 From: GAbimbola at Columbus.gov (Abimbola, Gbenga) Date: Fri Apr 1 21:19:55 2005 Subject: WinPT error on win95 Message-ID: <8C55873387FD6C4598D2F16CFA6DDFF6084607@QWARS152EXC.columbus.local> Hi: Can you please advise me on how you guys get your message sent to gnupg-users@gnupg.org? I did join the list about two weeks ago. Up till now, none of the request that I sent to the group ever went through. I have been sending my request in plain text. Can you please forward this request to the organization for me? Thanks. Gbenga Abimbola **** beginging of request ***** How do you generate a revocation certificate? I did the following, but it returned an error: gpg -output revoke.asc --gen-revoke mykey (mykey is "gbenga", which is the comment that I supplied before the key was generated") The error message that I got was: gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information So, the revocation certificate was not created. Thanks. Gbenga **** end of request **** -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org]On Behalf Of Randy Burns Sent: Friday, April 01, 2005 2:04 PM To: gnupg-users@gnupg.org Subject: Re: WinPT error on win95 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > Johan Wevers wrote: > > > machine, GnuPG worked fine but WinPT gave the error that WS_32.dll > > was missing. Can I just copy that file from a newer windows version? > > Yes. I also did it in the past. It works. > > > > Is win95 supported at all? > > Do you ask if WinPT still supports W95? Not really. It works without > any problems but I won't add any W95 specific code. A company which > name I forgot even stopped to maintain W98 so I don't see a reason > to support W95. And on the other hand I don't think _much_ people > still use it. > > > Timo > Microsoft retreated later on W98: See: Windows 98 gets support reprieve by Staff, ZDNet Australia January 12, 2004, 10:45 GMT http://news.zdnet.co.uk/0,39020330,39119028,00.htm > Although support for the older operating systems was due to end > shortly, Microsoft has announced that it will be extended > > Microsoft has extended support for Windows 98, Windows 98 SE and > Windows ME. > > The software giant has extended support for the operating systems > until 30 June, 2006. During that time paid over-the-phone support > will be available, and "critical" security issues will be > reviewed and "appropriate steps" taken. > > [...] > > The support expiration dates for all three of the older operating > systems was made the same in the interests of clarity, he said. > > "We made the decision to also lengthen support for Windows 98 and > Windows ME customers through the same date in order to provide a > clear and consistent date for support conclusion for all of these > older products," Beck explained. > > [...] All the best, Randy -----BEGIN PGP SIGNATURE----- Comment: Public Keys: www.geocities.com/burns98/pgp iD8DBQFCTZqJO1wFkBRYxW8RA0BcAJsEfDd9o/GY96PxP7euL96wE2C0RQCgwPEs RbHmTJCWWHNaAK+SoBx9PYE= =ndiw -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From SThutika at Satyam.odc.ml.com Thu Apr 7 08:26:39 2005 From: SThutika at Satyam.odc.ml.com (Thutika, Srinivas (ODC - Satyam)) Date: Thu Apr 7 08:21:28 2005 Subject: --export problem Message-ID: <5967AD625B62D5118D180002A50926AB03BD8106@AGNI> Hi, When I am exproting the key to .asc file it is exporting correctly. C:\gnupg\gpg.exe --homedir "C:\clear\keyrings" --armour --output "Key.asc" --export "tanik" Then I have imported as below C:\keyrings>C:\gnupg\gpg.exe --homedir . --import Key.asc gpg: keyring `.\secring.gpg' created gpg: keyring `.\pubring.gpg' created gpg: .\trustdb.gpg: trustdb created gpg: key B8C78A4F: public key "tanik" imported gpg: Total number processed: 1 gpg: imported: 1 But when I try to import from from --import I am getting keys only I am not getting the secrect keys C:\keyrings>C:\working\gnupg\gpg.exe --homedir c:\mlclear\keyrings --list-secret-keys c:/mlclear/keyrings\pubring.gpg ------------------------------- pub 1024D/A1EC0678 2003-01-28 MillDefault sub 2048g/B85512DE 2003-01-28 But I am getting it in the keys C:\keyrings>C:\working\gnupg\gpg.exe --homedir c:\mlclear\keyrings --list-keys c:/mlclear/keyrings\pubring.gpg ------------------------------- pub 1024D/3F8EFF5D 1998-07-01 CLEAR system DH sub 2048g/A7B402D8 1998-07-01 pub 1024D/A1EC0678 2003-01-28 MillDefault sub 2048g/B85512DE 2003-01-28 pub 1024D/2263854C 2005-04-07 tanik sub 2048g/845A5065 2005-04-07 Pls Clarify me... Regards, Srinivas. -------------------------------------------------------- If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail. http://www.ml.com/email_terms/ -------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 2411 bytes Desc: not available Url : /pipermail/attachments/20050407/98b1624f/attachment.bin From kfitzner at excelcia.org Thu Apr 7 08:32:31 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Thu Apr 7 08:28:36 2005 Subject: Version 0.3 of GPGee Available Message-ID: <4254D3FF.8090008@excelcia.org> Version 0.3 of GPGee (GNU Privacy Guard Explorer Extension) is now available for download. Changes include: - Major bug causing dialogs displayed more than once to display uninitialized (whoops). - Configuration dialog added with options to set custom locations for gpg's executable, options file, and keyrings. - Context-sensitive help added. - Misc other minor bugs squashed. Source and installer binary can be downloaded from: http://www.excelcia.org/modules.php?name=Downloads&d_op=viewdownload&cid=1 For those that haven't heard of it, GPGee is a Windows explorer shell extension DLL that adds gpg signing and encrytion functionality to the explorer right-click context menu. See the announcements on my home page (http://www.excelcia.org) for more info. Kurt Fitzner p.s. btw... I suppose I should ask if these type of announcements are kosher for this mailing list? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050407/188afd3b/signature.pgp From harry_b at mm.st Thu Apr 7 08:48:57 2005 From: harry_b at mm.st (harry_b@mm.st) Date: Thu Apr 7 08:45:11 2005 Subject: Question regarding GpgMe Message-ID: <2900ABACEA343E53631E468B@toughbook> Hello, I am working on an application which has its datafile encrypted using the GpgMe library. So far everything is fine except that I have to tell it with each program start which keys to use for encrypting the data. I would just like to reencrypt the file with the same keys which were used before. The question now is, how can I find out which keys the message was encrypted for? When I run 'gpg --decrypt FILE', all the keys are listed before the decryption is performed. How can I get this information using GpgMe? Any hints are highly welcome!! TIA, Harry -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050407/70e026d7/attachment.pgp From SThutika at Satyam.odc.ml.com Thu Apr 7 08:56:34 2005 From: SThutika at Satyam.odc.ml.com (Thutika, Srinivas (ODC - Satyam)) Date: Thu Apr 7 08:51:20 2005 Subject: --export problem Message-ID: <5967AD625B62D5118D180002A50926AB03BD8177@AGNI> Hi Joseph, By using this option also I could not able to get the secret keys in that.. Regards, Srinivas. -----Original Message----- From: Joseph Bruni [mailto:brunij@earthlink.net] Sent: Thursday, April 07, 2005 12:16 PM To: Thutika, Srinivas (ODC - Satyam) Cc: Subject: Re: --export problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 You didn't indicate which version of GnuPG you're using. Earlier versions required the addition of the "--allow-secret-key-import" option. From the man page of version 1.4.1: --allow-secret-key-import This is an obsolete option and is not used anywhere. On Apr 6, 2005, at 11:26 PM, Thutika, Srinivas (ODC - Satyam) wrote: > But when I try to import from from --import I am getting keys only I > am not > getting the secrect keys -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iQEVAwUBQlTXFFGV1jrNVRjHAQij3wf/eMPtM+QnS+WFL29Jxg0TJwo0wxgTjAIN 6BU7hEH0RwA0yyGnJeO+xubbzA04c5SVYiiPlbsRmTyB2oc7RisvwINn+5h0GK0c injC37wqCKnT/BOOH+mTUaXQIa2L2J/15EL4LPgpxs1NcundYvQWyvgr8zDQ15/i D9mgFCqydpdJwnrxy0gyaM9ZoOKXZqMd01JhlUuF5RsuDW+Cje5tJoYLbK2usQ9g 5iR9jAhduwCVqt87aXVJAgyTlKz9d0ruK7/qQENsGtYFlYMw5SzYVr/ciAlt77KQ mBqd43OeoNEKPCqmh/BcIjBCqSeBja/d5COlorlGA1JxmuFy8gycig== =GETn -----END PGP SIGNATURE----- -------------------------------------------------------- If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail. http://www.ml.com/email_terms/ -------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 2907 bytes Desc: not available Url : /pipermail/attachments/20050407/90318dcf/attachment.bin From wk at gnupg.org Thu Apr 7 09:42:44 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 7 09:41:31 2005 Subject: --export problem In-Reply-To: <5967AD625B62D5118D180002A50926AB03BD8106@AGNI> (Srinivas Thutika's message of "Thu, 7 Apr 2005 11:56:39 +0530") References: <5967AD625B62D5118D180002A50926AB03BD8106@AGNI> Message-ID: <87d5t7nibv.fsf@wheatstone.g10code.de> On Thu, 7 Apr 2005 11:56:39 +0530 , "Thutika, Srinivas (ODC said: > But when I try to import from from --import I am getting keys only I am not > getting the secrect keys --export dies not export secret keys because, well, they are secret. If you really need to move the secret keys to another machine, you need to use the command --export-secret-keys to export the secret keys (and only them). --import will just fine import secret keys. Salam-Shalom, Werner From wk at gnupg.org Thu Apr 7 09:53:09 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 7 09:51:32 2005 Subject: Version 0.3 of GPGee Available In-Reply-To: <4254D3FF.8090008@excelcia.org> (Kurt Fitzner's message of "Thu, 07 Apr 2005 00:32:31 -0600") References: <4254D3FF.8090008@excelcia.org> Message-ID: <878y3vnhui.fsf@wheatstone.g10code.de> On Thu, 07 Apr 2005 00:32:31 -0600, Kurt Fitzner said: > p.s. btw... I suppose I should ask if these type of announcements are > kosher for this mailing list? As long as it is Free Software those annoucnements are welcome. If you want to post it to gnupg-announce@gnupg.org, just go ahead and drop me a note so I can approve it. Shalom-Salam, Werner From linux at codehelp.co.uk Thu Apr 7 11:26:31 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Thu Apr 7 11:22:29 2005 Subject: Question regarding GpgMe In-Reply-To: <2900ABACEA343E53631E468B@toughbook> References: <2900ABACEA343E53631E468B@toughbook> Message-ID: <200504071026.35429.linux@codehelp.co.uk> On Thursday 07 April 2005 7:48 am, harry_b@mm.st wrote: > So far everything is fine except that I have to tell it with > each program start which keys to use for encrypting the data. You can set your own key as default recipient in .gnupg/gpg.conf. That will take care of your own key. You could also assume that the sender would want the reply encrypted using that key, you may be able to retrieve that from elsewhere in the application. After all, you are reencrypting the file to someone and your application needs to know who is the recipient - or are you trying to obtain *that* information from gpgme as well? More information needed really. > I would just like to reencrypt the file with the same keys which were used > before. Is the file being encrypted to more than 2 keys? You and the sender? > The question now is, how can I find out which keys the message was > encrypted for? What are you using to write your application? Could you use gpg directly instead of via gpgme and use the full gpg command line / API? It sounds like some form of scripted application - is it Perl, PHP, bash or what? > When I run 'gpg --decrypt FILE', all the keys are listed before the > decryption is performed. How can I get this information using GpgMe? I'm not sure gpgme can do that for you, but gpg certainly can. If you are in a bash environment, you could use pattern matching etc. to detect the other keys. It all depends on what and how you are doing with the application. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050407/2c6f71e6/attachment-0001.pgp From SThutika at Satyam.odc.ml.com Thu Apr 7 11:37:51 2005 From: SThutika at Satyam.odc.ml.com (Thutika, Srinivas (ODC - Satyam)) Date: Thu Apr 7 11:32:40 2005 Subject: --list-sigs problem Message-ID: <5967AD625B62D5118D180002A50926AB03BD8385@AGNI> > Hi werner, > > After --Sign-key, When I am trying to work with --list-sigs of 1.2.x > version I am getting following output(sig 3 for the key which I want to > sign) > > C:\MlClear\keyrings>c:\gnupg1.2.x\gpg --homedir . --list-sigs A1235D12 > .\pubring.gpg > ------------- > pub 1024D/3F8EFF5D 1998-07-01 > uid Merrill Lynch CLEAR system DH > > > > sig 3 A1235D12 1998-07-01 Merrill Lynch CLEAR system DH > > sig 3 A1EC0678 2003-01-28 MerrillDefault > > sub 2048g/A7B402D8 1998-07-01 > sig 3F8EFF5D 1998-07-01 Merrill Lynch CLEAR system DH > > > > But I am not getting sig3 values for the 1.4.1 > > C:\MlClear\keyrings>c:\gnupg1.2.x\gpg --homedir . --list-sigs A1235D12 > .\pubring.gpg > ------------- > pub 1024D/3F8EFF5D 1998-07-01 > uid Merrill Lynch CLEAR system DH > > > > sig A1235D12 1998-07-01 Merrill Lynch CLEAR system DH > > sig A1EC0678 2003-01-28 MerrillDefault > > sub 2048g/A7B402D8 1998-07-01 > sig 3F8EFF5D 1998-07-01 Merrill Lynch CLEAR system DH > > > Pls clarify me is there any bug in 1.4.1 of gnupg. > > > Regards, > srinivas > -------------------------------------------------------- If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail. http://www.ml.com/email_terms/ -------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 2629 bytes Desc: not available Url : /pipermail/attachments/20050407/bff5efa9/attachment.bin From kairaven at arcor.de Thu Apr 7 12:51:37 2005 From: kairaven at arcor.de (Kai Raven) Date: Thu Apr 7 13:27:39 2005 Subject: PGPnotes Message-ID: <20050407125137.5a9e0d96@localhost.localdomain> Hi, i'm not a Notes user, but i'm interested in what you are thinking about PGPnotes, a Notes Plugin for GnuPG/WinPT? http://www.dobysoft.com/products/pgpnotes/ Perhaps here is a Notes user, who can write something about his experiences with PGPnotes? :) -- Ciao Kai WWW: http://kai.iks-jena.de/ Blog: http://rabenhorst.blogweb.de/ OpenPGP: D6E995A0 Jabber: kraven@jabber.ccc.de From wk at gnupg.org Thu Apr 7 14:37:51 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 7 14:36:36 2005 Subject: --list-sigs problem In-Reply-To: <5967AD625B62D5118D180002A50926AB03BD8385@AGNI> (Srinivas Thutika's message of "Thu, 7 Apr 2005 15:07:51 +0530") References: <5967AD625B62D5118D180002A50926AB03BD8385@AGNI> Message-ID: <874qein4o0.fsf@wheatstone.g10code.de> On Thu, 7 Apr 2005 15:07:51 +0530 , "Thutika, Srinivas (ODC said: >> After --Sign-key, When I am trying to work with --list-sigs of 1.2.x >> version I am getting following output(sig 3 for the key which I want to >> sign) That depends on how you sign a key. 1.4 does not ask anymore for the cert level to use (unless --ask-cert-level has been used) and uses the level 0 as it has always been with PGP software. Thus you won't see a cert level indication if you newly signed with gpg 1.4 I suggest that you read one of the GnuPG HOWTOs (www.gnupg.org) and best also the GPH (GNU Privacy Handbook). Salam-Shalom, Werner p.s. Please check your Mailer, you sent an already quoted mail. From jerri at jerri.de Thu Apr 7 15:21:43 2005 From: jerri at jerri.de (Gerhard Siegesmund) Date: Thu Apr 7 15:18:10 2005 Subject: How to set default subkeys? Message-ID: <20050407132143.GR1206@base.jerri.home> Hello all I have a question, which maybe is very silly. Most likely I don't get the concept behind subkeys. Unfortunately I couldn't find any information about all this in the available documents. I was playing around with my brand new SmartCard. Thinking about putting *additional* signing, encrypting and authorization keys on it, based on my already used jerri@jerri.de-Key. Fortunately I made a backup before I began playing with my secret keyring. :) Problem is as follows: It seems gnupg uses the last created key as the default key to use. So if I want to sign something gpg asks me to enter the smart card. Similar with encryption. Instead of the 2048bit-Key I created once, the new 1024 Key on the smardcard is used. So I can't decrypt the new documents without the smartcard. So, my question is: How do I set the default keys to use? Especially if I make my new subkeys public. How do the people know which encryption subkey to use? How can I set the key to use for encryption (if I encrypt things for myself, or for the encrypt-to-Option.) Or in other words: Is there somewhere a really detailed documentation about using and managing subkeys? Thanks for any help! -- cu --== Jerri ==-- Homepage: http://www.jerri.de/ ICQ: 54160208 Public PGP Key: http://www.jerri.de/jerris_public_key.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050407/2588b36a/attachment.pgp From scc4fun at spamcop.net Thu Apr 7 16:46:13 2005 From: scc4fun at spamcop.net (Sean C. C.) Date: Thu Apr 7 16:54:05 2005 Subject: GPG 1.4.1 over 1.4.0a upgrade Message-ID: <425547B5.4050807@spamcop.net> I'm going to upgrade my GnuPG from 1.4.0a to 1.4.1. When installing 1.4.0a I used the instructions from http://enigmail.mozdev.org/gpgconf.html. It has come to my attention that the installer for 1.4.1 uses this same pattern. My question is if I install it right over my old one should I be concerned about my keyring or binary or anything like that getting erased/becoming corrupted? I'm using Thunderbird 1.0.2 / Enigmail 0.91.0 / GPG 1.4.0a (currently) / WinXP Pro SP2. Thanks in advance, Sean From wk at gnupg.org Thu Apr 7 16:55:10 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 7 16:56:32 2005 Subject: How to set default subkeys? In-Reply-To: <20050407132143.GR1206@base.jerri.home> (Gerhard Siegesmund's message of "Thu, 7 Apr 2005 15:21:43 +0200") References: <20050407132143.GR1206@base.jerri.home> Message-ID: <87r7hmk569.fsf@wheatstone.g10code.de> On Thu, 7 Apr 2005 15:21:43 +0200, Gerhard Siegesmund said: > So, my question is: How do I set the default keys to use? Especially if > I make my new subkeys public. How do the people know which encryption > subkey to use? You may append an exclamation mark to the keyid of the subkey (like "0x12345678!") to force gpg to use exactly that subkey. Other people can't know and thus will encrypt to an arbitrary valid subkey (gpg uses the latest one). > How can I set the key to use for encryption (if I encrypt things for > myself, or for the encrypt-to-Option.) Same as above. Salam-Shalom, Werner From harry_b at mm.st Thu Apr 7 18:01:42 2005 From: harry_b at mm.st (harry_b@mm.st) Date: Thu Apr 7 17:57:42 2005 Subject: gpgme on Debian Message-ID: <4D834F97D50490DAC699C3BB@toughbook> Hello, I am currently experiencing something very weird with libgpgme 1.0.2 on Debian (unstable). I have checked my own source quite thoroughly and it does exactly the same as the example t-encrypt-sign in the libraries source distribution but it does not work. What happens is this: 1. in the whole process no error occurs until I try to call gpgme_data_seek(); 2. gpgme_data_seek returns with the error message 'Unspecified source: Invalid argument' 3. The output buffer seems not to contain no data at any time And now comes the weird thing: 1. I got the libgpgme source, did './configure && make' and started 'GNUPGHOME=. GPG_AGENT_INFO= ./test/gpg/t-encrypt-sign' --> result: this worked quite fine 2. I compiled t-encrypt-sign.c manually and linked it against my systems library running the command 'gcc -lgpgme t-encrypt-sign.c -o t-encrypt-sign' 3. now 'GNUPGHOME=. GPG_AGENT_INFO= ./test/gpg/t-encrypt-sign' returns the message 't-support.h:56: Unspecified source: Invalid argument' and nothing works any more. What is going on here?! I have been looking into this problem for quite a few hours but I can't get nowhere. :-/ Does anyone have some hints what could be wrong here? Harry -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050407/d5cbbf36/attachment.pgp From pheaneas at arcor.de Thu Apr 7 15:55:20 2005 From: pheaneas at arcor.de (pheaneas@arcor.de) Date: Thu Apr 7 18:01:35 2005 Subject: SC-Reader with pinpad and GnuPG v1.4.1 (MingW32) Message-ID: <5667838.1112882120043.JavaMail.ngmail@webmail-07.arcor-online.net> Hello, I would like to know if there is a way to tell GnuPG that the reader I use (which is a Reiner-SCT cyberJack pinpad USB and which works fine) actually has a pinpad. I still have to type in my passphrase via keyboard. Thanks, pheaneas From pheaneas at arcor.de Thu Apr 7 16:03:43 2005 From: pheaneas at arcor.de (pheaneas@arcor.de) Date: Thu Apr 7 18:02:01 2005 Subject: SC-Reader with pinpad and GnuPG v1.4.1 (MingW32) Message-ID: <12438499.1112882623293.JavaMail.ngmail@webmail-05.arcor-online.net> Hello, I would like to know if there is a way to tell GnuPG that the reader I use (which is a Reiner-SCT cyberJack pinpad USB and which works fine) actually has a pinpad. I still have to type in my passphrase via keyboard. Thanks, pheaneas From wk at gnupg.org Thu Apr 7 18:33:48 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 7 18:31:33 2005 Subject: SC-Reader with pinpad and GnuPG v1.4.1 (MingW32) In-Reply-To: <5667838.1112882120043.JavaMail.ngmail@webmail-07.arcor-online.net> (pheaneas@arcor.de's message of "Thu, 7 Apr 2005 15:55:20 +0200 (CEST)") References: <5667838.1112882120043.JavaMail.ngmail@webmail-07.arcor-online.net> Message-ID: <87ekdmk0lv.fsf@wheatstone.g10code.de> On Thu, 7 Apr 2005 15:55:20 +0200 (CEST), pheaneas said: > I would like to know if there is a way to tell GnuPG that the reader > I use (which is a Reiner-SCT cyberJack pinpad USB and which works > fine) actually has a pinpad. I still have to type in my passphrase There are two problems: There is no common interface under Windows to access a pinpad. This needs to be done using proprietary driver extensions. Under GNU/Linux and other systems supported by libusb, we have the code ready to access the pinpad of some readers. However, we need design an internal API to test whether a read has a pinpad and whether it shall be used. Eventually there will be support for it but it will take a while. Shalom-Salam, Werner From kippenberg at web.de Thu Apr 7 08:36:30 2005 From: kippenberg at web.de (Thomas Kippenberg) Date: Thu Apr 7 18:52:16 2005 Subject: WinPT on Windows NT problem Message-ID: <1809997392@web.de> Hello, I tried to install the latest version of WinPT on my Windows NT (SP6a) machine (file gnupt-2.6.0_gpg1.4.1-wpt0.9.90-gpgrelay0.955-int.exe). When starting WinPT I get the error message: 'Der Prozedureinstiegspunkt "SHGetSpecialFolderPathA" konnte in der Dynamic Link Library "SHELL32.dll" nicht gefunden werden' which means, that the system was not able to find the procedure entry point "SHGetSpecialFolderPathA" in the SHELL32.dll. I get the same error when using the latest test version (file winpt-0.9.91-exe.zip). The version of my SHELL32.dll is 4.00. Does this mean, WinPT does no longer support Windows NT (like Microsoft...)? Thanks, Thomas ______________________________________________________________ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193 From twoaday at freakmail.de Thu Apr 7 19:37:05 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Thu Apr 7 19:44:18 2005 Subject: WinPT on Windows NT problem In-Reply-To: <1809997392@web.de> References: <1809997392@web.de> Message-ID: <20050407173705.GA467@daredevil.joesixpack.net> On Thu Apr 07 2005; 08:36, Thomas Kippenberg wrote: > which means, that the system was not able to find the procedure entry > point "SHGetSpecialFolderPathA" in the SHELL32.dll. Hmm, it works with 98 (no SE). > The version of my SHELL32.dll is 4.00. That's the problem. You need 4.32 (or anything close to it or newer). > Does this mean, WinPT does no longer support Windows NT (like Microsoft...)? WinPT supports all Windows versions (95 limited). The problem is that some OS components are too old. This is also a problem for other programs and not just WinPT. If you update the Internet Explorer, you will get a newer version of the needed components. You can also use the MS update site to get a recent version. Timo From ochominutosdearco at gmail.com Thu Apr 7 20:41:12 2005 From: ochominutosdearco at gmail.com (H) Date: Thu Apr 7 21:37:50 2005 Subject: XY cromosomas Message-ID: <200504072041.19378.ochominutosdearco@gmail.com> Hi all, I have a doubt to sign one friends key. I have told it to some friends and they did not had the answer. Its a sensitive problem and i don't want to make my friend feel bad about my question. My doubt is that I found a girl in a LUG that i have visited, that wants me to sign her key but, I did not saw her documents. And thats not all. She was he time ago. I guess her is a transsexual . I knew her, and there is no doubt for me about her identity. In fact, thinking on this mater, i asked some friends of both in that LUG. They know her with that identity they in their LUG. Maybe her national docs are not updated, but her name is clare determined for me and for the people that i asked. Now the question is if you have had this situation before or is the first time someone ask about it. I have not problems to be the first singing this, I can survive the intolerant point of view. But I am a responsible man and I don't want to make problems to the gpg community. I don't want to make her to feel bad or different. Thats why I did not asked him to add one photo. Is that forced in this case? is not enogh to be sure about her identity? I am forbide to sign by the gpg rules? Thank you for your answer and sorry about my bad english -- http://h.says.it jabber: h@myjabber.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050407/2d892a4f/attachment.pgp From nsushkin at sushkins.net Thu Apr 7 22:15:30 2005 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Thu Apr 7 22:47:20 2005 Subject: Error at "bag.attributes" importing key from freemail cert into gpgsm Message-ID: <200504071615.30963.nsushkin@sushkins.net> Hi, I am trying to import into gpgsm a thawte freemail s/mime certificate I exported from Firefox in p12 format. I followed the instructions in the Welwarsky's mini-howto. openssl pkcs12 -in ~/keys/thawte-nsushkin_sushkins_net-exp20060407.p12 -out ~/keys/thawte-nsushkin_sushkins_net-exp20060407.pem -nodes openssl pkcs12 -in thawte-nsushkin_sushkins_net-exp20060407.pem -export -nocerts -nodes -out thawte-nsushkin_sushkins_net-exp20060407.privatekey.p12 gpgsm --call-protect-tool --p12-import --store thawte-nsushkin_sushkins_net-exp20060407.privatekey.p12 After I enter my passphrase, I am getting the errors listed below. Am I doing something wrong or did I hit a bug? Thanks. gpg-agent[21705]: handler for fd 0 started gpg-agent[21705.0x8075458] DBG: -> OK Pleased to meet you gpg-agent[21705.0x8075458] DBG: <- OPTION display=:0 gpg-agent[21705.0x8075458] DBG: -> OK gpg-agent[21705.0x8075458] DBG: <- OPTION ttyname=/dev/pts/1 gpg-agent[21705.0x8075458] DBG: -> OK gpg-agent[21705.0x8075458] DBG: <- OPTION ttytype=xterm gpg-agent[21705.0x8075458] DBG: -> OK gpg-agent[21705.0x8075458] DBG: <- OPTION lc-ctype=C gpg-agent[21705.0x8075458] DBG: -> OK gpg-agent[21705.0x8075458] DBG: <- OPTION lc-messages=C gpg-agent[21705.0x8075458] DBG: -> OK gpg-agent[21705.0x8075458] DBG: <- GET_PASSPHRASE X X Passphrase: Please+enter+the+passphrase+to+unprotect+the+PKCS#12+object. gpg-agent[21705]: starting a new PIN Entry gpg-agent[21705]: DBG: connection to PIN entry established gpg-agent[21705.0x8075458] DBG: -> [Confidential data not shown] gpg-protect-tool: 2600 bytes of RC2 encrypted text gpg-agent[21705.0x8075458] DBG: <- [EOF] gpg-agent[21705]: handler for fd 0 terminated -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- gpg-protect-tool: encryptedData error at "bag.attributes", offset 2592 gpg-protect-tool: error at "bag.encryptedData", offset 49 gpg-protect-tool: error parsing or decrypting the PKCS-12 file -- Nick From smfabac at att.net Thu Apr 7 22:57:33 2005 From: smfabac at att.net (Steve M. Fabac, Jr.) Date: Thu Apr 7 22:53:41 2005 Subject: General newbe questions using GnuPG Message-ID: <42559EBD.2F166773@att.net> As a newbe, I have scanned the GnuPG FAQ looking for help on the question of configuring GnuPG for encrypting and exchanging files between GnuPG 1.4.1 and a client site running GPG on AiX. I am running GnuPG 1.4.1 on my end. My client running PGP 6.52 on AIX. I generated my key pair taking the defaults when prompted and used gpg --armor --export KeyID > testkey.pub In the FAQ, the section 5.1 (shown below) has no corresponding section on "How can I encrypt a message with PGP so that GnuPG is able to decrypt it? > 5. COMPATIBILITY ISSUES > > 5.1) How can I encrypt a message with GnuPG so that PGP is able to decrypt it? As a newbe, I have not got a clue on what choices to make running gpg --gen-key to make the necessary PGP compatible public key. On my system, I get: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) When I provide the key to my client and he uses it to encrypt a test message using PGP 6.5 on AIX, I get the following when I try to decrypt it with GnuPG: [smf] unix!/u/smf/test $ gpg --decrypt testfile.txt.pgp | head gpg: [don't know]: invalid packet (ctb=6f) Additionally: The key pair I generated was a test pair using a non existing user name, a random comment, and bogus e-mail. (This test key is to be replaced with a production key with appropriate name, comment, and e-mail ID after testing is complete). I then imported the test public key on my office system and signed the public test key with my private key for my e-mail ID. I exported the signed key with: gpg --armor --export keyid > testkey2.pub and sent it via email to my client. I can only trust that he did the appropriate steps on his AIX box to import the key and generate a test encrypted message. The result of trying to decrypt the test message on the production system is shown above. When I use the signed public key on my office system to encrypt a test file and transfer it to the production system, I can decrypt the message without problem. -- Steve Fabac S.M. Fabac & Associates 816/765-1670 From harry_b at mm.st Fri Apr 8 11:03:57 2005 From: harry_b at mm.st (harry_b@mm.st) Date: Fri Apr 8 11:00:04 2005 Subject: gpgme on Debian, followup Message-ID: <2A7AC29D9F891C3310B81C39@toughbook> Hi once more, I tried some more to get libgpgme to run and found the following: When I try to run the dynamically linked version of 't-encrypt-sign' (compiled with 'gcc -lgpgme t-encrypt-sign.c -o t-encrypt-sign') the following happens when called like this: ------------------------------------------------------------------ $ GPGME_DEBUG=5 GNUPGHOME=. GPG_AGENT_INFO= ./t-encrypt-sign gpgme_debug: level=5 posix-io.c:135: closing fd 4 posix-io.c:72: fd 3: about to read 79 bytes posix-io.c:79: fd 3: got 79 bytes fd 3: got `gpg (GnuPG) 1.4.0 Copyright (C) 2004 Free Software Foundation, Inc. This progra' posix-io.c:135: closing fd 3 t-support.h:56: Unspecified source: Invalid argument ------------------------------------------------------------------ It seems like it all fails right after it checks the gpg version. When I run the statically linked version, the debug output looks like this: ------------------------------------------------------------------ $ GPGME_DEBUG=5 GNUPGHOME=. GPG_AGENT_INFO= ./t-encrypt-sign gpgme_debug: level=5 posix-io.c:135: closing fd 4 posix-io.c:72: fd 3: about to read 79 bytes posix-io.c:79: fd 3: got 79 bytes fd 3: got `gpg (GnuPG) 1.4.0 Copyright (C) 2004 Free Software Foundation, Inc. This progra' posix-io.c:135: closing fd 3 Hallo Leute posix-io.c:157: set notification for fd 3 posix-io.c:157: set notification for fd 4 posix-io.c:157: set notification for fd 5 posix-io.c:157: set notification for fd 6 posix-io.c:135: closing fd 4 posix-io.c:135: closing fd 6 posix-io.c:329: gpgme:select on [ r3 r5 ] posix-io.c:375: select OK [ r3 r5 ] ... ------------------------------------------------------------------ Anyone who might spare some insight on this issue? TIA, Harry -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050408/1033595e/attachment.pgp From harry_b at mm.st Fri Apr 8 15:04:04 2005 From: harry_b at mm.st (harry_b@mm.st) Date: Fri Apr 8 14:59:57 2005 Subject: Problem with gpgme 1.0.2 Message-ID: <4D26A8DFAECEB57F827B67EA@toughbook> Hi guys, I was battling this problem for quite some hours until I finally found a (temporary solution). Info: - System: Debian unstable - gcc 3.3.5 - libgpgme 1.0.2 The problem occured as this: 1. when statically linked, the test t-encrypt-sign worked fine 2. when dynamically linked, the test failed when gpgme_data_seek() was called I tried to debug this for quite a long time until - with all my desperation - I had a look at the GTK project gpa. In there I found, that they don't use the recommended function gpgme_data_seek() but instead gpgme_data_rewind() which is considered to be deprecated. I replaced the call to gpgme_data_seek() with gpgme_data_rewind() and all works fine now - the test code t-encrypt-sign compiles and runs properly and my own code works quite nicely as well. What's the matter here and how can this be fixed? I assume that its not a good idea to use deprecated function to get the code working. ;-) Harry -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050408/880acd63/attachment.pgp From peter.smilde at smilde-becker.net Fri Apr 8 23:39:47 2005 From: peter.smilde at smilde-becker.net (Peter L. Smilde) Date: Fri Apr 8 23:35:46 2005 Subject: Smartcard error Message-ID: <200504082339.47521.peter.smilde@smilde-becker.net> Hi, With gpg v1.4.1 under Debian I succeeded in transferring my subkeys to the OpenPGP smartcard. Running "gpg --card-status" and "gpg --card-edit" works fine. And "date | gpg ---clearsign | gpg -v" is also functioning. But calling "date | gpg -er "my-name" | gpg -d" fails with the next error messages: date | gpg -er '7BBC5696!' | gpg -d PIN gpg: ccid_transceive failed: (0x1000a) gpg: apdu_send_simple(0) failed: card I/O error gpg: encrypted with 1024-bit RSA key, ID 7BBC5696, created 2005-04-01 "my_uid" gpg: public key decryption failed: general error gpg: decryption failed: secret key not available The same command run fine under Win-XP (with the same smartcard, the same sc-reader (SCR 355) and the same version of gpg). Any explanation? -- Peter From cwsiv at keepandbeararms.com Sat Apr 9 05:54:25 2005 From: cwsiv at keepandbeararms.com (Carl William Spitzer IV) Date: Sat Apr 9 05:50:37 2005 Subject: online email usage with gnupg In-Reply-To: References: Message-ID: <1113018830.6563.13.camel@linux.site> On Tue, 2005-03-29 at 19:45, Joey Harrison wrote: > is there any way to use gnupg with online email services like gmail, > yahoo, and hotmail? > www.hushmail.com CWSIV From jharris at widomaker.com Tue Apr 5 01:27:25 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Apr 9 15:58:10 2005 Subject: new (2005-04-03) keyanalyze results (+sigcheck) Message-ID: <20050404232725.GA356@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-04-03/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: e2eb6610d1eef456665d2ef3420e302b6ab63235 11641392 preprocess.keys e7bf1ef91c39f55c4cb75415882bb04cfa6cce53 7269218 othersets.txt 647548db224c2306b3b22808ed0638983261223d 2927944 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html adc468f7171251d7b3d853c7705ef8d6817db9c5 2290 keyring_stats 8539426ed2f2940f9f165387677ae54a86607d78 1152820 msd-sorted.txt.bz2 01f69eccb66a0fb9763b0b43fa8bcbc89895ddbe 26 other.txt 98446bc561e593df7394b0bc35732f3b6f41d3bc 1568105 othersets.txt.bz2 3ec8b1f2d27ed2c6c6c386904e293ba4785dd9a6 4706969 preprocess.keys.bz2 52a3a6c2b5c31d2193ed317e8957041188058923 11585 status.txt ab4ee3ee96cda54b38b2c6b5bb439801aacf50b6 211338 top1000table.html 40501100f167072304086610ff4a6f7f0428ffc3 30349 top1000table.html.gz b6ae7a04520091fac591d4c80dca9a6492a39be5 10946 top50table.html 08fb84a189b03da03cbbc2ce6b5ae97f3c3aa969 2409 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050404/90a3a257/attachment.pgp From jan at gondor.com Sat Apr 9 18:22:50 2005 From: jan at gondor.com (Jan Niehusmann) Date: Sat Apr 9 18:18:46 2005 Subject: Smartcard error In-Reply-To: <200504082339.47521.peter.smilde@smilde-becker.net> References: <200504082339.47521.peter.smilde@smilde-becker.net> Message-ID: <20050409162250.GA22783@gondor.com> On Fri, Apr 08, 2005 at 11:39:47PM +0200, Peter L. Smilde wrote: > gpg: ccid_transceive failed: (0x1000a) > gpg: apdu_send_simple(0) failed: card I/O error > gpg: encrypted with 1024-bit RSA key, ID 7BBC5696, created 2005-04-01 > "my_uid" > gpg: public key decryption failed: general error > gpg: decryption failed: secret key not available See my mail to gnupg-devel - I have the same problem on debian. With the options --disable-ccid --pcsc-driver /usr/lib/libpcsclite.so.1 gnupg seems to work reliably. (After starting pcscd, of course) Jan From erpo41 at hotpop.com Sun Apr 10 06:25:04 2005 From: erpo41 at hotpop.com (Erpo) Date: Sun Apr 10 07:35:46 2005 Subject: gpg over ssh... (security problem) In-Reply-To: <20050320090952.GB5389@base.jerri.home> References: <20050320090952.GB5389@base.jerri.home> Message-ID: <1113107104.6750.14.camel@localhost.localdomain> On Sun, 2005-03-20 at 10:09 +0100, Gerhard Siegesmund wrote: > Say, I have a encrypted file somewhere on a server on the net. > Naturally I don't have my private key on that "unsave" server. I want > to use the output of the encrypted file in a pipe to do something with > it. > > I don't like the idea to send the encrypted file back to my home-server > to decrypt it there and then send back the decrypted file to the > work-server. Also this would work, I would have to remember to remove > the decrypted file after the action. > > My idea was to do something like the following: > > cat encrypted_file.gpg | ssh me@my.home.server gpg --decrypt | do_something.sh > >[...] > > So. Does this way sound correctly in your ears? How about security > (apart from the point, that my homeserver is available from the net, > which I know lowers my security a lot. I hope, my password is good > enough.)? Is this at all possible? There is a security problem here. The point of not keeping your secret key on the remote server is that someone could find a way to access files that are only accessible to your user account on the remote server. But if someone could access files on the remote server in this manner (say, by rooting it or cracking your password), that person could also modify files in your account (say, .bash_profile) so that when you try to execute a command like: cat encrypted_file.gpg | ssh me@my.home.server gpg --decrypt | do_something.sh the remote server instead executes a program, designed by the attacker, that records your home machine's password as well as your passphrase. The effect is the same: the attacker would be able to use your private key. Nor would it be secure to reverse roles in this situation. Suppose you wrote a script on your home machine that connects to the remote server, pulls down the file to be decrypted, decrypts it, sends it back to the remote server, executes a command on the remote server, and deletes the decrypted file on the remote server. Then an attacker who has compromised the remote server could, upon detecting your running this type of script (by any number of means), could replace the file you intend to download with any encrypted message to you and could replace the server-side command you intend to run on the decrypted data with a command that makes a copy of it somewhere out of the way. The attacker would not be able to access your private key, but she would be able to decrypt any chosen piece of your encrypted data. The only thing you know for certain is that a server that has been compromised is a server that does whatever an attacker wants it to. Using a scheme like the proposed one is only marginally better than not encrypting your data at all. That said, these schemes (in the order presented) require respectively increasing levels of technical sophistication on the part of the attacker. Eric From erpo41 at hotpop.com Sun Apr 10 07:41:40 2005 From: erpo41 at hotpop.com (Erpo) Date: Sun Apr 10 07:35:54 2005 Subject: potentially serious problem (was Re: WinPT on Windows NT problem) In-Reply-To: <20050407173705.GA467@daredevil.joesixpack.net> References: <1809997392@web.de> <20050407173705.GA467@daredevil.joesixpack.net> Message-ID: <1113111700.6750.80.camel@localhost.localdomain> > > The version of my SHELL32.dll is 4.00. > > That's the problem. You need 4.32 (or anything close to it or newer). > > > > Does this mean, WinPT does no longer support Windows NT (like Microsoft...)? > > WinPT supports all Windows versions (95 limited). The problem is that some > OS components are too old. This is also a problem for other programs and > not just WinPT. If you update the Internet Explorer, you will get a newer > version of the needed components. You can also use the MS update site to > get a recent version. > I see this as being a potentially serious problem. Please allow me to explain. One of the most frustrating things for me when I switched from Linux to Windows, as well as one of the most common frustrations I heard as I helped other people to do the same, was that installing software on Windows is a whole lot easier than installing software on Linux, and the reason is dependencies. The reason I say that this particular WinPT snarl is a potentially serious problem is that I'm starting to see this linux "expecting the user to resolve dependency issues is OK" mentality invade the Windows desktop space, and by no means just with WinPT (which I love, by the way). Because Microsoft has done a great job creating a dependable platform for writing applications, users have gotten used to checking for Windows 98/Windows XP/Windows Whatever on the outside of the box and expecting the program to work providing that single criteria is met. It's ok to list Windows NT 4 as a requirement for running a program, if that's really the only requirement. It's ok to list Windows NT 4 with Service Pack 6a as a requirement for running a program, if that's really the only requirement. It's ok to list Windows NT 4 with Service Pack 6a and Internet Explorer 5 as a requirement for running a program, if that's really the only requirement. It's not ok to list SHELL32.dll v4.32 or later as a requirement for running a program. This does not mean it's not ok to _have_ SHELL32.dll v4.32 or later as a requirement for running a program. The difference? When the software doesn't work right, explaining the specific technical problem to the average user isn't much use at all. Explaining how to fix the problem, the easier the fix the better, is good. Making sure the problem never happens is best. In order to solve this problem, I propose that: 1. If technically and legally feasable, an appropriate version of SHELL32.dll and other libraries from which WinPT requires capabilities not available in the base OS should be bundled with WinPT. This is the best solution since it works with the least user knowledge and effort and potentially provides the best compatibility. OR 2. The download page for WinPT should list the compatible OSs as "Windows 95(limited)/98/Me/NT with IE x.y or later/2000/XP" and the installer should detect an intended installation on an incompatible OS (e.g. NT without IE x.y or later) and prompt the user to take specific corrective action (e.g. "Please install IE x.y or later and try to install WinPT again."). I realize that some people cannot hear "Microsoft has done a great job" and cannot hear criticism of a FOSS program, the FOSS way of doing things, or an author of a FOSS program, particularly one who writes software without compensation, and particularly those as friendly and helpful as the people who write Gaim*, The GIMP*, and WinPT without going into "zealot with a flamethrower mode." I can only say that I have put effort and editing into making my comments and suggestions as conducive to creating cool, on-topic discussion as I can. Thank you, Eric *Both Gaim for Windows after a certain version and The Gimp 2.x require some specific version of GTK+ 2.x installed system-wide in order to run. For a very long time, if you tried to install both at the same time (even considering that new versions of GTK+ 2.x are supposed to be backwards compatible all the way to 2.0), nastiness insued. At one point I found a combination of a gtk installer, a Gaim installer, and a Gimp installer that wouldn't destroy eachother. Champagne was nearly uncorked. From erpo41 at hotpop.com Sun Apr 10 07:48:14 2005 From: erpo41 at hotpop.com (Erpo) Date: Sun Apr 10 07:42:17 2005 Subject: How to create self-extracting executable? (possible solution) In-Reply-To: <20050317200211.GB20742@mwilson.umlcoop.net> References: <20050317200211.GB20742@mwilson.umlcoop.net> Message-ID: <1113112094.6750.84.camel@localhost.localdomain> On Thu, 2005-03-17 at 15:02 -0500, Matthew Wilson wrote: > My office uses PGP to create self-extracting executable files. > > Is this feature possible with GPG? It's not GPG or PGP, but this might be what you're looking for: http://www.pcworld.com/downloads/file_description/0,fid,1206,00.asp From rlaager at wiktel.com Sun Apr 10 09:39:12 2005 From: rlaager at wiktel.com (Richard Laager) Date: Sun Apr 10 10:59:20 2005 Subject: potentially serious problem (was Re: WinPT on Windows NT problem) In-Reply-To: <1113111700.6750.80.camel@localhost.localdomain> References: <1809997392@web.de> <20050407173705.GA467@daredevil.joesixpack.net> <1113111700.6750.80.camel@localhost.localdomain> Message-ID: <1113118752.12992.12.camel@localhost> On Sat, 2005-04-09 at 22:41 -0700, Erpo wrote: > It's not ok to list SHELL32.dll v4.32 or later as a requirement for > running a program. This does not mean it's not ok to _have_ SHELL32.dll > v4.32 or later as a requirement for running a program. The difference? While I totally agree with your points, I'd like to offer just one thought: If your operating environment provides a proper package manager, you can have dependencies like shell32 >= 4.32. When you tried to install WinPT, the package manager should tell you that you don't have the right version of shell32.dll, which is provided by the package "Internet Explorer". This makes it pretty clear what you need to do. The Microsoft approach involves having applications ship copies of DLLs that they didn't make. This is VERY BAD. It leads to DLL Hell. It also makes system maintenance a nightmare because you have multiple copies of the same DLL all over the machine. Finally, it totally defeats the point of DLLs because you end up loading multiple copies into memory. > At one point > I found a combination of a gtk installer, a Gaim installer, and a Gimp > installer that wouldn't destroy eachother. I've never had trouble making this work. The best way to do it is to use GTK+ as distributed by Gaim, I think. Richard Laager -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20050410/4aa0e18f/attachment.pgp From mysqlcat.8.wrenhunt at spamgourmet.com Sun Apr 10 14:51:23 2005 From: mysqlcat.8.wrenhunt at spamgourmet.com (J. Wren Hunt) Date: Sun Apr 10 14:47:46 2005 Subject: key capabilities usage meanings In-Reply-To: <20050401170034.GB11879@jabberwocky.com> References: <20050401170034.GB11879@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 David Shaw wrote: | Authentication is signing a challenge (like ssh does). The | Authentication stuff can be used to log in to a machine using your GPG key. | Is there any public documentation on how to implement this? The only way I've seen thus far to implement this is to use patched versions of the SSH daemon which I'm rather loathe to do if there's an easier/more-supported way. Thx! - -- Cheers! J. Wren Hunt Cambridge, MA. USA - ------------ "In theory, there is no difference between theory and practice. But, in practice, there is." - Jan L.A. van de Snepscheut +------------------------------------------------------------------+ | v-card http://wrenhunt.homelinux.org/data/wren.vcf | | x.509 http://wrenhunt.homelinux.org/data/thawte_wren_hunt.cer | | OpenPGP ADF5 1432 A59E 8F4D 4AE7 4DFE 03FA 91E1 4A24 D6F4 | +------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCWSFLA/qR4Uok1vQRAy3rAJ9QqFnVlQHrbyMyAxDGvRywffnw3QCgleSy 9xBD8WIaJjSp4yPcziXKh/A= =1QSy -----END PGP SIGNATURE----- From twoaday at freakmail.de Sun Apr 10 15:40:07 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Sun Apr 10 15:40:02 2005 Subject: potentially serious problem (was Re: WinPT on Windows NT problem) In-Reply-To: <1113111700.6750.80.camel@localhost.localdomain> References: <1809997392@web.de> <20050407173705.GA467@daredevil.joesixpack.net> <1113111700.6750.80.camel@localhost.localdomain> Message-ID: <20050410134007.GA429@daredevil.joesixpack.net> On Sat Apr 09 2005; 22:41, Erpo wrote: > It's ok to list Windows NT 4 as a requirement for running a program, if > that's really the only requirement. It's ok to list Windows NT 4 with [snip] Then I guess the easiest way is that I remove the 'supports 95/NT' string because I expect at least an average PC system. And this means at least ME and a recent Explorer version. > It's not ok to list SHELL32.dll v4.32 or later as a requirement for > running a program. This does not mean it's not ok to _have_ SHELL32.dll > v4.32 or later as a requirement for running a program. The difference? I see your point but the requirement is over 8 years old. And If somebody uses such an old system, I would call this an exception and not ordinary. > 2. The download page for WinPT should list the compatible OSs as > "Windows 95(limited)/98/Me/NT with IE x.y or later/2000/XP" As I said, it's propably the best to remove 95/NT. I agree that it is annoying for people with older systems that it won't work, but 4.32 is pretty old and I don't think I really need to mention it. When WinPT would depend on the XP version of the DLL, it's worth to mention because XP is pretty new compared to 98. I will either remove 95/NT or I will put a notice there that some OS components need to be refreshed. Timo From johanw at vulcan.xs4all.nl Sun Apr 10 23:42:10 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Apr 10 23:38:26 2005 Subject: potentially serious problem (was Re: WinPT on Windows NT problem)[C In-Reply-To: <20050410134007.GA429@daredevil.joesixpack.net> from Timo Schulz at "Apr 10, 2005 03:40:07 pm" Message-ID: <200504102142.XAA00617@vulcan.xs4all.nl> Timo Schulz wrote: >Then I guess the easiest way is that I remove the 'supports 95/NT' >string because I expect at least an average PC system. And this means >at least ME and a recent Explorer version. Hmmm. I see win98 still being used a lot, but ME was such a crappy version that I rarely see it. Win98SE is often installed when refurbishing old systems. >> It's not ok to list SHELL32.dll v4.32 or later as a requirement for >> running a program. I see no problem with this. For the windows newbee it would be helpfull to add that it will be installed with IE v. X.Y.Z. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From christian.rank at rz.uni-passau.de Mon Apr 11 08:05:02 2005 From: christian.rank at rz.uni-passau.de (Christian Rank) Date: Mon Apr 11 08:56:32 2005 Subject: OpenPGP card "factory reset"? Message-ID: <425A138E.9060504@rz.uni-passau.de> Hallo list, is there any possibility to perform some sort of "factory reset" on a OpenPGP smartcard, esp. to clear the keys stored on the card? Thanks in advance, -- Dr. Christian Rank Rechenzentrum Universit?t Passau Innstr. 33 D-94032 Passau GERMANY Tel.: 0851/509-1838 Fax: 0851/509-1802 PGP public key see http://www.rz.uni-passau.de/mitarbeiter/rank From twoaday at freakmail.de Mon Apr 11 06:57:22 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Apr 11 16:02:37 2005 Subject: potentially serious problem (was Re: WinPT on Windows NT problem)[C In-Reply-To: <200504102142.XAA00617@vulcan.xs4all.nl> References: <20050410134007.GA429@daredevil.joesixpack.net> <200504102142.XAA00617@vulcan.xs4all.nl> Message-ID: <20050411045722.GA333@daredevil.joesixpack.net> On Sun Apr 10 2005; 23:42, Johan Wevers wrote: > Hmmm. I see win98 still being used a lot, but ME was such a crappy version > that I rarely see it. Win98SE is often installed when refurbishing old And 98 is no problem because SE comes with a proper version. > I see no problem with this. For the windows newbee it would be helpfull > to add that it will be installed with IE v. X.Y.Z. I don't know the exact version of IE which is needed. And I still think that today a newbie would rather use XP than any older W32 version. Timo From wk at gnupg.org Mon Apr 11 16:08:01 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Apr 11 16:06:45 2005 Subject: Smartcard error In-Reply-To: <200504082339.47521.peter.smilde@smilde-becker.net> (Peter L. Smilde's message of "Fri, 8 Apr 2005 23:39:47 +0200") References: <200504082339.47521.peter.smilde@smilde-becker.net> Message-ID: <87br8lcsou.fsf@wheatstone.g10code.de> On Fri, 8 Apr 2005 23:39:47 +0200, Peter L Smilde said: > The same command run fine under Win-XP (with the same smartcard, the same > sc-reader (SCR 355) and the same version of gpg). Did you applied the attached patch, which is also in the current CVS version? Shalom-Salam, Werner -------------- next part -------------- 2005-03-16 Werner Koch * ccid-driver.c (parse_ccid_descriptor): Make SCM workaround reader type specific. (scan_or_find_devices): Do not check the interface subclass in the SPR532 kludge, as this depends on the firmware version. (ccid_get_atr): Get the Slot status first. This solves the problem with readers hanging on recent Linux 2.6.x. (bulk_in): Add argument TIMEOUT and changed all callers to pass an appropriate one. Change the standard timeout from 10 to 5 seconds. (ccid_slot_status): Add a retry code with an initial short timeout. (do_close_reader): Do an usb_reset before closing the reader. Index: g10/ccid-driver.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/ccid-driver.c,v retrieving revision 1.21 retrieving revision 1.22 diff -u -p -r1.21 -r1.22 --- g10/ccid-driver.c 27 Jan 2005 10:30:27 -0000 1.21 +++ g10/ccid-driver.c 16 Mar 2005 19:10:54 -0000 1.22 @@ -1,5 +1,5 @@ /* ccid-driver.c - USB ChipCardInterfaceDevices driver - * Copyright (C) 2003, 2004 Free Software Foundation, Inc. + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. * Written by Werner Koch. * * This file is part of GnuPG. @@ -52,7 +52,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: ccid-driver.c,v 1.21 2005/01/27 10:30:27 wk Exp $ + * $Date: 2005/03/16 19:10:54 $ */ @@ -223,7 +223,7 @@ static unsigned int compute_edc (const u int use_crc); static int bulk_out (ccid_driver_t handle, unsigned char *msg, size_t msglen); static int bulk_in (ccid_driver_t handle, unsigned char *buffer, size_t length, - size_t *nread, int expected_type, int seqno); + size_t *nread, int expected_type, int seqno, int timeout); /* Convert a little endian stored 4 byte value into an unsigned integer. */ @@ -403,7 +403,7 @@ parse_ccid_descriptor (ccid_driver_t han if (buf[49] == 0xff) DEBUGOUT_CONT ("echo\n"); else - DEBUGOUT_1 (" %02X\n", buf[48]); + DEBUGOUT_CONT_1 (" %02X\n", buf[48]); DEBUGOUT ( " wlcdLayout "); if (!buf[50] && !buf[51]) @@ -446,12 +446,20 @@ parse_ccid_descriptor (ccid_driver_t han send a frame of n*wMaxPacketSize back to us. Given that wMaxPacketSize is 64 for these readers we set the IFSD to a value lower than that: - 64 - 10 CCID header - 4 T1frame - 2 reserved = 48 */ + 64 - 10 CCID header - 4 T1frame - 2 reserved = 48 + Product Ids: + 0xe001 - SCR 331 + 0x5111 - SCR 331-DI + 0x5115 - SCR 335 + 0xe003 - SPR 532 + */ if (handle->id_vendor == VENDOR_SCM - /* FIXME: check whether it is the same - firmware version for all drivers. */ - && handle->bcd_device < 0x0519 - && handle->max_ifsd > 48) + && handle->max_ifsd > 48 + && ( (handle->id_product == 0xe001 && handle->bcd_device < 0x0516) + ||(handle->id_product == 0x5111 && handle->bcd_device < 0x0620) + ||(handle->id_product == 0x5115 && handle->bcd_device < 0x0519) + ||(handle->id_product == 0xe003 && handle->bcd_device < 0x0504) + )) { DEBUGOUT ("enabling workaround for buggy SCM readers\n"); handle->max_ifsd = 48; @@ -699,9 +707,7 @@ scan_or_find_devices (int readerno, cons && ifcdesc->bInterfaceProtocol == 0) || (ifcdesc->bInterfaceClass == 255 && dev->descriptor.idVendor == 0x04e6 - && dev->descriptor.idProduct == 0xe003 - && ifcdesc->bInterfaceSubClass == 1 - && ifcdesc->bInterfaceProtocol == 1))) + && dev->descriptor.idProduct == 0xe003))) { idev = usb_open (dev); if (!idev) @@ -974,11 +980,13 @@ do_close_reader (ccid_driver_t handle) rc = bulk_out (handle, msg, msglen); if (!rc) - bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus,seqno); + bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus, + seqno, 2000); handle->powered_off = 1; } if (handle->idev) { + usb_reset (handle->idev); usb_release_interface (handle->idev, handle->ifc_no); usb_close (handle->idev); handle->idev = NULL; @@ -1102,10 +1110,10 @@ bulk_out (ccid_driver_t handle, unsigned BUFFER and return the actual read number if bytes in NREAD. SEQNO is the sequence number used to send the request and EXPECTED_TYPE the type of message we expect. Does checks on the ccid - header. Returns 0 on success. */ + header. TIMEOUT is the timeout value in ms. Returns 0 on success. */ static int bulk_in (ccid_driver_t handle, unsigned char *buffer, size_t length, - size_t *nread, int expected_type, int seqno) + size_t *nread, int expected_type, int seqno, int timeout) { int i, rc; size_t msglen; @@ -1117,9 +1125,7 @@ bulk_in (ccid_driver_t handle, unsigned rc = usb_bulk_read (handle->idev, handle->ep_bulk_in, buffer, length, - 10000 /* ms timeout */ ); - /* Fixme: instead of using a 10 second timeout we should better - handle the timeout here and retry if appropriate. */ + timeout); if (rc < 0) { DEBUGOUT_1 ("usb_bulk_read error: %s\n", strerror (errno)); @@ -1175,7 +1181,7 @@ bulk_in (ccid_driver_t handle, unsigned } -/* Note that this fucntion won't return the error codes NO_CARD or +/* Note that this function won't return the error codes NO_CARD or CARD_INACTIVE */ static int send_escape_cmd (ccid_driver_t handle, @@ -1206,7 +1212,8 @@ send_escape_cmd (ccid_driver_t handle, rc = bulk_out (handle, msg, msglen); if (rc) return rc; - rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Escape, seqno); + rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Escape, + seqno, 5000); return rc; } @@ -1276,7 +1283,9 @@ ccid_slot_status (ccid_driver_t handle, unsigned char msg[100]; size_t msglen; unsigned char seqno; + int retries = 0; + retry: msg[0] = PC_to_RDR_GetSlotStatus; msg[5] = 0; /* slot */ msg[6] = seqno = handle->seqno++; @@ -1288,7 +1297,21 @@ ccid_slot_status (ccid_driver_t handle, rc = bulk_out (handle, msg, 10); if (rc) return rc; - rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus, seqno); + rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus, + seqno, retries? 1000 : 200); + if (rc == CCID_DRIVER_ERR_CARD_IO_ERROR && retries < 3) + { + if (!retries) + { + fprintf (stderr, "CALLING USB_CLEAR_HALT\n"); + usb_clear_halt (handle->idev, handle->ep_bulk_in); + usb_clear_halt (handle->idev, handle->ep_bulk_out); + } + else + fprintf (stderr, "RETRYING AGIAN\n"); + retries++; + goto retry; + } if (rc && rc != CCID_DRIVER_ERR_NO_CARD && rc != CCID_DRIVER_ERR_CARD_INACTIVE) return rc; @@ -1303,6 +1326,7 @@ ccid_get_atr (ccid_driver_t handle, unsigned char *atr, size_t maxatrlen, size_t *atrlen) { int rc; + int statusbits; unsigned char msg[100]; unsigned char *tpdu; size_t msglen, tpdulen; @@ -1311,6 +1335,15 @@ ccid_get_atr (ccid_driver_t handle, unsigned int edc; int i; + /* First check whether a card is available. */ + rc = ccid_slot_status (handle, &statusbits); + if (rc) + return rc; + if (statusbits == 2) + return CCID_DRIVER_ERR_NO_CARD; + + /* For an inactive and also for an active card, issue the PowerOn + command to get the ATR. */ msg[0] = PC_to_RDR_IccPowerOn; msg[5] = 0; /* slot */ msg[6] = seqno = handle->seqno++; @@ -1323,7 +1356,8 @@ ccid_get_atr (ccid_driver_t handle, rc = bulk_out (handle, msg, msglen); if (rc) return rc; - rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_DataBlock, seqno); + rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_DataBlock, + seqno, 5000); if (rc) return rc; @@ -1367,7 +1401,8 @@ ccid_get_atr (ccid_driver_t handle, if (rc) return rc; /* Note that we ignore the error code on purpose. */ - bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Parameters, seqno); + bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Parameters, + seqno, 5000); handle->t1_ns = 0; handle->t1_nr = 0; @@ -1414,7 +1449,7 @@ ccid_get_atr (ccid_driver_t handle, rc = bulk_in (handle, msg, sizeof msg, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; @@ -1510,7 +1545,7 @@ ccid_transceive_apdu_level (ccid_driver_ msg = recv_buffer; rc = bulk_in (handle, msg, sizeof recv_buffer, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; @@ -1683,7 +1718,7 @@ ccid_transceive (ccid_driver_t handle, msg = recv_buffer; rc = bulk_in (handle, msg, sizeof recv_buffer, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; @@ -1692,7 +1727,7 @@ ccid_transceive (ccid_driver_t handle, if (tpdulen < 4) { - usb_clear_halt (handle->idev, 0x82); + usb_clear_halt (handle->idev, handle->ep_bulk_in); return CCID_DRIVER_ERR_ABORTED; } #ifdef DEBUG_T1 @@ -1960,7 +1995,7 @@ ccid_transceive_secure (ccid_driver_t ha msg = recv_buffer; rc = bulk_in (handle, msg, sizeof recv_buffer, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; From wk at gnupg.org Mon Apr 11 16:12:49 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Apr 11 16:11:37 2005 Subject: key capabilities usage meanings In-Reply-To: (J. Wren Hunt's message of "Sun, 10 Apr 2005 08:51:23 -0400") References: <20050401170034.GB11879@jabberwocky.com> Message-ID: <877jj9csgu.fsf@wheatstone.g10code.de> On Sun, 10 Apr 2005 08:51:23 -0400, J Wren Hunt said: > Is there any public documentation on how to implement this? The only way > I've seen thus far to implement this is to use patched versions of the > SSH daemon which I'm rather loathe to do if there's an > easier/more-supported way. Thx! The CVS version of gnupg 1.9 supports this by providing a replacement for the ssh-agent. There is one problem though: As of now you can't use gpg (1.4) with smartcards and the gpg-agent with smartcards at the same time, becuase both demand exclusive access to the reader. Its pretty annoying and I am actually working on solving it. If you don't need a background ssh process (i.e. from a cron job) there is an ugly workaround: Give gpg-agent a HUP before using gpg, so that gpg-agent will release access to the reader. Stay tuned. Salam-Shalom, Werner From wk at gnupg.org Mon Apr 11 16:15:02 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Apr 11 16:11:47 2005 Subject: OpenPGP card "factory reset"? In-Reply-To: <425A138E.9060504@rz.uni-passau.de> (Christian Rank's message of "Mon, 11 Apr 2005 08:05:02 +0200") References: <425A138E.9060504@rz.uni-passau.de> Message-ID: <873btxcsd5.fsf@wheatstone.g10code.de> On Mon, 11 Apr 2005 08:05:02 +0200, Christian Rank said: > is there any possibility to perform some sort of "factory reset" on a > OpenPGP smartcard, esp. to clear the keys stored on the card? Nope. You might want to import dummy keys instead. I plan to have a wipe function in a future release of gpg. Shalom-Salam, Werner From mconahan at zixtestott.com Mon Apr 11 19:10:00 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Mon Apr 11 19:05:59 2005 Subject: Problems encrypting binary with GnuPGMe Message-ID: <425AAF68.9010800@zixtestott.com> Hi everyone, I was wondering if anyone has come across problems encrypting binary with GnuPGME? My app is using GnuPGME to PGP-Inline encrypt MIME; however, my app is having problems with encrypting binary file attachments, after they have been base64 decoded. My app using the GnuPGME function gpgme_op_encrypt to encrypt; the function mentions that is accepts plaintext (nothing mentioned about binary data), so I maybe out of luck here. I just wanted to see if anybody has any ideas/workarounds. Thanks, Michael From marcus.brinkmann at ruhr-uni-bochum.de Mon Apr 11 20:18:30 2005 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Mon Apr 11 20:16:02 2005 Subject: GPGME and Debian In-Reply-To: <87fyxxct4x.fsf@wheatstone.g10code.de> References: <87fyxxct4x.fsf@wheatstone.g10code.de> Message-ID: <87r7hhkwi1.wl@ulysses.g10code.de> > 2. I compiled t-encrypt-sign.c manually and linked it against my > systems library running the command > 'gcc -lgpgme t-encrypt-sign.c -o t-encrypt-sign' You need -D_FILE_OFFSET_BITS=64. I past the relevant section of the manual below. This is a FQ, we probably should have a FAQ. Thanks, Marcus Largefile Support (LFS) ======================= GPGME is compiled with largefile support by default, if it is available on the system. This means that GPGME supports files larger than two gigabyte in size, if the underlying operating system can. On some systems, largefile support is already the default. On such systems, nothing special is required. However, some systems provide only support for files up to two gigabyte in size by default. Support for larger file sizes has to be specifically enabled. To make a difficult situation even more complex, such systems provide two different types of largefile support. You can either get all relevant functions replaced with alternatives that are largefile capable, or you can get new functions and data types for largefile support added. Those new functions have the same name as their smallfile counterparts, but with a suffix of 64. An example: The data type `off_t' is 32 bit wide on GNU/Linux PC systems. To address offsets in large files, you can either enable largefile support add-on. Then a new data type `off64_t' is provided, which is 64 bit wide. Or you can replace the existing `off_t' data type with its 64 bit wide counterpart. All occurences of `off_t' are then automagically replaced. As if matters were not complex enough, there are also two different types of file descriptors in such systems. This is important because if file descriptors are exchanged between programs that use a different maximum file size, certain errors must be produced on some file descriptors to prevent subtle overflow bugs from occuring. As you can see, supporting two different maximum file sizes at the same time is not at all an easy task. However, the maximum file size does matter for GPGME, because some data types it uses in its interfaces are affected by that. For example, the `off_t' data type is used in the `gpgme_data_seek' function, to match its POSIX counterpart. This affects the call-frame of the function, and thus the ABI of the library. Furthermore, file descriptors can be exchanged between GPGME and the application. For you as the user of the library, this means that your program must be compiled in the same file size mode as the library. Luckily, there is absolutely no valid reason for new programs to not enable largefile support by default and just use that. The compatibility modes (small file sizes or dual mode) can be considered an historic artefact, only useful to allow for a transitional period. GPGME is compiled using largefile support by default. This means that your application must do the same, at least as far as it is relevant for using the `gpgme.h' header file. All types in this header files refer to their largefile counterparts, if they are different from any default types on the system. You can enable largefile support, if it is different from the default on the system the application is compiled on, by using the Autoconf macro `AC_SYS_LARGEFILE'. If you do this, then you don't need to worry about anything else: It will just work. In this case you might also want to use `AC_FUNC_FSEEKO' to take advantage of some new interfaces, and `AC_TYPE_OFF_T' (just in case). If you do not use Autoconf, you can define the preprocessor symbol `_FILE_OFFSET_BITS' to 64 _before_ including any header files, for example by specifying the option `-D_FILE_OFFSET_BITS=64' on the compiler command line. You will also want to define the preprocessor symbol `LARGEFILE_SOURCE' to 1 in this case, to take advantage of some new interfaces. If you do not want to do either of the above, you probably know enough about the issue to invent your own solution. Just keep in mind that the GPGME header file expects that largefile support is enabled, if it is available. In particular, we do not support dual mode (`_LARGEFILE64_SOURCE'). From nsushkin at sushkins.net Mon Apr 11 21:08:25 2005 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Mon Apr 11 21:05:43 2005 Subject: Error at "bag.attributes" importing key from freemail cert into gpgsm In-Reply-To: <200504071615.30963.nsushkin@sushkins.net> References: <200504071615.30963.nsushkin@sushkins.net> Message-ID: <200504111508.25796.nsushkin@sushkins.net> Can anyone help me, please? Should I be looking ath the PKCS-12 parsing code? On Thursday 07 April 2005 16:15, Nicholas Sushkin wrote: >... > gpgsm --call-protect-tool --p12-import --store > thawte-nsushkin_sushkins_net-exp20060407.privatekey.p12 > > After I enter my passphrase, I am getting the errors listed below. Am I doing > something wrong or did I hit a bug? > > Thanks. > ... > gpg-protect-tool: encryptedData error at "bag.attributes", offset 2592 > gpg-protect-tool: error at "bag.encryptedData", offset 49 > gpg-protect-tool: error parsing or decrypting the PKCS-12 file > -- Nick From peter.smilde at smilde-becker.net Mon Apr 11 21:10:06 2005 From: peter.smilde at smilde-becker.net (Peter L. Smilde) Date: Mon Apr 11 21:06:00 2005 Subject: Smartcard error In-Reply-To: <20050409162250.GA22783@gondor.com> References: <200504082339.47521.peter.smilde@smilde-becker.net> <20050409162250.GA22783@gondor.com> Message-ID: <200504112110.06398.peter.smilde@smilde-becker.net> > > gpg: ccid_transceive failed: (0x1000a) > > gpg: apdu_send_simple(0) failed: card I/O error > > See my mail to gnupg-devel - I have the same problem on debian. > With the options --disable-ccid --pcsc-driver /usr/lib/libpcsclite.so.1 > gnupg seems to work reliably. (After starting pcscd, of course) > > Jan Thanks, that solved it. But I didn't need the options --disable-ccid --pcsc-driver /usr/lib/libpcsclite.so. After starting pcscd just calling gpg -s or gpg -s did the job already. -- Peter From david69 at charter.net Mon Apr 11 19:08:10 2005 From: david69 at charter.net (David) Date: Mon Apr 11 22:08:14 2005 Subject: OpenPGP Smartcard Advantages Message-ID: <20050411170810.GA4266@charter.net> Hello, I am new to smartcards and I have a couple of questions about the OpenPGP smartcard from www.g10code.de 1. What are the advantages of this smartcard for storing my keys over other external media (especially if connected to an unsafe computer)? 2. Is the signing / encrypting done inside the card or the computer? (If connected to a compromised computer access to my private key can compromise the key itself.) Thank you for your help. David -- "The difference between fiction and reality? Fiction has to make sense." - Tom Clancy - From mconahan at zixtestott.com Mon Apr 11 22:26:20 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Mon Apr 11 22:22:15 2005 Subject: Problems encrypting binary with GnuPGMe In-Reply-To: <425AAF68.9010800@zixtestott.com> References: <425AAF68.9010800@zixtestott.com> Message-ID: <425ADD6C.7040803@zixtestott.com> mconahan@zixtestott.com wrote: > Hi everyone, > > I was wondering if anyone has come across problems encrypting > binary with GnuPGME? My app is using GnuPGME to PGP-Inline encrypt > MIME; however, my app is having problems with encrypting binary file > attachments, after they have been base64 decoded. My app using the > GnuPGME function gpgme_op_encrypt to encrypt; the function mentions > that is accepts plaintext (nothing mentioned about binary data), so I > maybe out of luck here. I just wanted to see if anybody has any > ideas/workarounds. > > Thanks, > > Michael > Despite the plethora of responses I received, I was able to solve the problem. FYI, GnuPGME can encrypt binary files just fine. From peter.smilde at smilde-becker.net Mon Apr 11 22:48:17 2005 From: peter.smilde at smilde-becker.net (Peter L. Smilde) Date: Mon Apr 11 22:44:17 2005 Subject: Smartcard error In-Reply-To: <87br8lcsou.fsf@wheatstone.g10code.de> References: <200504082339.47521.peter.smilde@smilde-becker.net> <87br8lcsou.fsf@wheatstone.g10code.de> Message-ID: <200504112248.17725.peter.smilde@smilde-becker.net> On Monday 11 April 2005 16:08, Werner Koch wrote: > On Fri, 8 Apr 2005 23:39:47 +0200, Peter L Smilde said: > > The same command run fine under Win-XP (with the same smartcard, the same > > sc-reader (SCR 355) and the same version of gpg). > > Did you applied the attached patch, which is also in the current CVS > version? I applied your patch now, but unfortunately with no different result. -- Peter From marcus.brinkmann at ruhr-uni-bochum.de Tue Apr 12 00:15:12 2005 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Tue Apr 12 00:16:03 2005 Subject: GPGME and Debian In-Reply-To: <425AE7A8.9090302@eml.cc> References: <87fyxxct4x.fsf@wheatstone.g10code.de> <87r7hhkwi1.wl@ulysses.g10code.de> <425AE7A8.9090302@eml.cc> Message-ID: <87oeclkljj.wl@ulysses.g10code.de> At Mon, 11 Apr 2005 23:10:00 +0200, Harry Brueckner wrote: > Thanks for your reply. The setting of -D_FILE_OFFSET_BITS=64 fixes this > problem. I do use autoconf and also call 'gpgme-config' to find out > which CFLAGS I need. Shouldn't this be returned by 'gpgme-config --cflags'? I wouldn't think so. The config scripts are traditionally just for the compiler and linker arguments to find the header files and the libraries whereever they are installed. It's a no-brainer. Setting the file offset bits to 64 is a deeply penetrating decision that must be done consciously by the developer, and needs to be coordinated with the other libraries used and the application code. It has global, far-reaching effects. > One more question which I couldn't find any answer for so far - is there > a way to get the keys a file is encrypted for? gpg shows this > information right before it shows the decrypted data and also with > '--list-only'. Maybe you can help me find an answer for this issue as well? Werner forwarded me your suggestion on gnupg-user from a while ago. It is easy to add, and I think I can do it soon. The information is already provided by gnupg, we just need to store it in the result structure. > Thanks alot for your help!! np. Note that such issues are all more appropriately for gnupg-devel, which I am following (I don't follow gnupg-users, sorry). Thanks, Marcus From johanw at vulcan.xs4all.nl Tue Apr 12 00:09:36 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Apr 12 00:42:21 2005 Subject: potentially serious problem (was Re: WinPT on Windows NT problem)[C In-Reply-To: <20050411045722.GA333@daredevil.joesixpack.net> from Timo Schulz at "Apr 11, 2005 06:57:22 am" Message-ID: <200504112209.AAA00790@vulcan.xs4all.nl> Timo Schulz wrote: >I don't know the exact version of IE which is needed. And I still think >that today a newbie would rather use XP than any older W32 version. Should, perhaps, But can? I've constructed some PC's from old (P1-P2 hardware) that was dumped by companies, installed win98SE on it and gave them to some people who don't have much money to spare. XP doesn't run on such hardware, but I'd like to teach those people something about security and encryption. But first I'll have to teach them how NOT to install spyware that crashes the PC so they'll have to call me to clean it up. :-( . -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Tue Apr 12 09:47:40 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Apr 12 09:46:37 2005 Subject: OpenPGP Smartcard Advantages In-Reply-To: <20050411170810.GA4266@charter.net> (david69@charter.net's message of "Mon, 11 Apr 2005 10:08:10 -0700") References: <20050411170810.GA4266@charter.net> Message-ID: <874qec8mhv.fsf@wheatstone.g10code.de> On Mon, 11 Apr 2005 10:08:10 -0700, David said: > 1. What are the advantages of this smartcard for storing my keys over > other external media (especially if connected to an unsafe computer)? Without physical access to the card it is not possible to extract the keys. With physical access it is hard to do do, expensive and destroys the card. > 2. Is the signing / encrypting done inside the card or the computer? > (If connected to a compromised computer access to my private key can > compromise the key itself.) Signing and decrypting is done inside the card. The only thing a malicious host can do is to lock the card (by sending several times a wrong PIN) and to trick you into signing or decrypting data. Salam-Shalom, Werner From wk at gnupg.org Tue Apr 12 12:25:57 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Apr 12 12:26:40 2005 Subject: Error at "bag.attributes" importing key from freemail cert into gpgsm In-Reply-To: <200504071615.30963.nsushkin@sushkins.net> (Nicholas Sushkin's message of "Thu, 7 Apr 2005 16:15:30 -0400") References: <200504071615.30963.nsushkin@sushkins.net> Message-ID: <87ll7o70lm.fsf@wheatstone.g10code.de> On Thu, 7 Apr 2005 16:15:30 -0400, Nicholas Sushkin said: > gpgsm --call-protect-tool --p12-import --store > thawte-nsushkin_sushkins_net-exp20060407.privatekey.p12 A simple gpgsm --import foo.p12 will do. Are you using the latest version? If not, please try 1.9.15 or the CVS version. If it still fails, please send me a sample file and the passwords. Thanks, Werner From Jon.Morisey at serono.com Tue Apr 12 12:33:06 2005 From: Jon.Morisey at serono.com (Jon.Morisey@serono.com) Date: Tue Apr 12 13:31:26 2005 Subject: Jon Morisey/USR/SERONO is out of the office. Message-ID: I will be out of the office starting 04/12/2005 and will not return until 04/25/2005. I will respond to your message when I return. Please direct other questions to Tim Golden or my cell at 781-308-9295. ----------------------------------------- S - This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. e-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain malware. The presence of this disclaimer is not a proof that it was originated at Serono International S.A. or one of its affiliates. Serono International S.A and its affiliates therefore do not accept liability for any errors or omissions in the content of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. Serono International SA, 15bis Chemin Des Mines, Geneva, Switzerland, www.serono.com. From mconahan at zixtestott.com Tue Apr 12 15:55:47 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Tue Apr 12 15:51:45 2005 Subject: Problems finding keyring with GnuPGME Message-ID: <425BD363.1080101@zixtestott.com> Hi everyone, I created a Linux application that uses GnuPGME. The app is started by a server process, and as a result is having troubles accessing PGP keyrings. This is probably a permissions thing, as I installed GnuPG as the root user; the API (GnuPGME) is probably looking for the keyring at /root/.gnupg/. FYI, if I run my app as root on the command line, everything works fine; however, I need to start this process with a server. I am currently looking at three options: 1) update the GnuPGME keyring functions that I use to allow me to specify arbitrary keyrings of my choice, 2) investigate what user process is running my app, and create a home directory for it with keyrings and all, or 3)investigate if there is some undocumented function in GnuPGME that I can use to help me specify the keyring of my choice. Any help/advice provided by anyone would be greatly appreciated. From nsushkin at sushkins.net Tue Apr 12 16:34:19 2005 From: nsushkin at sushkins.net (Nicholas Sushkin) Date: Tue Apr 12 16:31:57 2005 Subject: Error at "bag.attributes" importing key from freemail cert into gpgsm In-Reply-To: <87ll7o70lm.fsf@wheatstone.g10code.de> References: <200504071615.30963.nsushkin@sushkins.net> <87ll7o70lm.fsf@wheatstone.g10code.de> Message-ID: <200504121034.20015.nsushkin@sushkins.net> On Tuesday 12 April 2005 06:25, Werner Koch wrote: > On Thu, 7 Apr 2005 16:15:30 -0400, Nicholas Sushkin said: > > > gpgsm --call-protect-tool --p12-import --store > > thawte-nsushkin_sushkins_net-exp20060407.privatekey.p12 > > A simple > > gpgsm --import foo.p12 > > will do. Are you using the latest version? If not, please try 1.9.15 > or the CVS version. If it still fails, please send me a sample file > and the passwords. Werner, Thanks so much for your reply. I was using 1.9.15, gpgsm --import failed with the same error. I'll try CVS next. -- Nick From harry_b at mm.st Tue Apr 12 16:39:35 2005 From: harry_b at mm.st (harry_b@mm.st) Date: Tue Apr 12 16:35:36 2005 Subject: Problems finding keyring with GnuPGME In-Reply-To: <425BD363.1080101@zixtestott.com> References: <425BD363.1080101@zixtestott.com> Message-ID: <05B51F05D8010B3A95DE1741@toughbook> Hi, this should be quite easy - just set the environment variable GNUPGHOME before you start your process and all should be fine. It defaults to '$HOME/.gnupg' I think but you can set it to whatever you want. The directory should not be readable by anybody else than the current user. HTH, Harry --On Tuesday, April 12, 2005 09:55:47 -0400 mconahan@zixtestott.com wrote: > Hi everyone, > > I created a Linux application that uses GnuPGME. The app is started > by a server process, and as a result is having troubles accessing PGP > keyrings. This is probably a permissions thing, as I installed GnuPG as > the root user; the API (GnuPGME) is probably looking for the keyring at > /root/.gnupg/. > > FYI, if I run my app as root on the command line, everything works fine; > however, I need to start this process with a server. > I am currently looking at three options: 1) update the GnuPGME keyring > functions that I use to allow me to specify arbitrary keyrings of my > choice, 2) investigate what user process is running my app, and create a > home directory for it with keyrings and all, or 3)investigate if there is > some undocumented function in GnuPGME that I can use to help me specify > the keyring of my choice. > > Any help/advice provided by anyone would be greatly appreciated. -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050412/d000f631/attachment.pgp From david69 at charter.net Tue Apr 12 18:58:33 2005 From: david69 at charter.net (David) Date: Tue Apr 12 18:54:20 2005 Subject: OpenPGP Smartcard Advantages In-Reply-To: <874qec8mhv.fsf@wheatstone.g10code.de> References: <20050411170810.GA4266@charter.net> <874qec8mhv.fsf@wheatstone.g10code.de> Message-ID: <20050412165833.GA9178@charter.net> On Tue, Apr 12, 2005 at 09:47:40AM +0200, Werner Koch wrote: > Signing and decrypting is done inside the card. > > The only thing a malicious host can do is to lock the card (by sending > several times a wrong PIN) and to trick you into signing or decrypting > data. > > > Salam-Shalom, > > Werner It means that the malicious host doesn't have access to my private key located on the smartcard while signing or decrypting a message on this host, and therefore, my private key is safe. Thanks, David From mconahan at zixtestott.com Tue Apr 12 19:32:04 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Tue Apr 12 19:28:03 2005 Subject: Problems finding keyring with GnuPGME In-Reply-To: <05B51F05D8010B3A95DE1741@toughbook> References: <425BD363.1080101@zixtestott.com> <05B51F05D8010B3A95DE1741@toughbook> Message-ID: <425C0614.5030105@zixtestott.com> harry_b@mm.st wrote: > Hi, > > this should be quite easy - just set the environment variable > GNUPGHOME before you start your process and all should be fine. > > It defaults to '$HOME/.gnupg' I think but you can set it to whatever > you want. The directory should not be readable by anybody else than > the current user. > > HTH, Harry > > > --On Tuesday, April 12, 2005 09:55:47 -0400 mconahan@zixtestott.com > wrote: > >> Hi everyone, >> >> I created a Linux application that uses GnuPGME. The app is started >> by a server process, and as a result is having troubles accessing PGP >> keyrings. This is probably a permissions thing, as I installed GnuPG as >> the root user; the API (GnuPGME) is probably looking for the keyring at >> /root/.gnupg/. >> >> FYI, if I run my app as root on the command line, everything works fine; >> however, I need to start this process with a server. >> I am currently looking at three options: 1) update the GnuPGME keyring >> functions that I use to allow me to specify arbitrary keyrings of my >> choice, 2) investigate what user process is running my app, and create a >> home directory for it with keyrings and all, or 3)investigate if >> there is >> some undocumented function in GnuPGME that I can use to help me specify >> the keyring of my choice. >> >> Any help/advice provided by anyone would be greatly appreciated. > > > -- > > 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M > V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ > ------END GEEK CODE BLOCK----- > - Thanks! Your solution worked like magic. From christian.rank at rz.uni-passau.de Wed Apr 13 09:08:24 2005 From: christian.rank at rz.uni-passau.de (Christian Rank) Date: Wed Apr 13 09:04:19 2005 Subject: OpenPGP card and BasicCard Message-ID: <425CC568.3000800@rz.uni-passau.de> Hello, according to a notice at www.basiccard.com, the BasicCard manufactured by ZeitControl cardsystems GmbH should support the OpenPGP smartcard specification. Are the OpenPGP cards sold by kernelconcepts.de such BasicCards? Regards, -- Dr. Christian Rank Rechenzentrum Universit?t Passau Innstr. 33 D-94032 Passau GERMANY Tel.: 0851/509-1838 Fax: 0851/509-1802 PGP public key see http://www.rz.uni-passau.de/mitarbeiter/rank From wk at gnupg.org Wed Apr 13 11:21:36 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Apr 13 11:21:43 2005 Subject: OpenPGP card and BasicCard In-Reply-To: <425CC568.3000800@rz.uni-passau.de> (Christian Rank's message of "Wed, 13 Apr 2005 09:08:24 +0200") References: <425CC568.3000800@rz.uni-passau.de> Message-ID: <87ekdf3ucf.fsf@wheatstone.g10code.de> On Wed, 13 Apr 2005 09:08:24 +0200, Christian Rank said: > according to a notice at www.basiccard.com, the BasicCard manufactured > by ZeitControl cardsystems GmbH should support the OpenPGP smartcard > specification. Are the OpenPGP cards sold by kernelconcepts.de such > BasicCards? The cards are build upon the Basiccard OS but they are not a freely programmable Basiccard. Note, that Zeitcontrol's cards with RSA encryption are not available to end users (probably due to fear of litigation coming from pay TV companies; those using the security by litigation crypto algorithm). Zeitcontrol's page is somewhat misleading, claiming "OpenPGP select the...". Shalom-Salam, Werner From sargon at gmail.com Wed Apr 13 14:19:04 2005 From: sargon at gmail.com (Sargon) Date: Wed Apr 13 15:15:27 2005 Subject: Encrypt with public key from stdin/file possible? Message-ID: Hi I have a public key of a recipient in ASCII or binary form and would like to feed gpg w/o importing it first in its public keyring and afterwards specify the ID of the public key. According to my researches on the net and on the gnupg.org site, there's no way to do this though. Can anyone confirm this? Kind regards, Sargon From wk at gnupg.org Wed Apr 13 16:38:30 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Apr 13 16:36:40 2005 Subject: Encrypt with public key from stdin/file possible? In-Reply-To: (sargon@gmail.com's message of "Wed, 13 Apr 2005 14:19:04 +0200") References: Message-ID: <874qea3fo9.fsf@wheatstone.g10code.de> On Wed, 13 Apr 2005 14:19:04 +0200, Sargon said: > like to feed gpg w/o importing it first in its public keyring and > afterwards specify the ID of the public key. According to my > researches on the net and on the gnupg.org site, there's no way to do > this though. > Can anyone confirm this? That's right. Shalom-Salam, Werner From dshaw at jabberwocky.com Wed Apr 13 17:07:39 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Apr 13 17:04:46 2005 Subject: Encrypt with public key from stdin/file possible? In-Reply-To: References: Message-ID: <20050413150739.GA13198@jabberwocky.com> On Wed, Apr 13, 2005 at 02:19:04PM +0200, Sargon wrote: > Hi > > I have a public key of a recipient in ASCII or binary form and would > like to feed gpg w/o importing it first in its public keyring and > afterwards specify the ID of the public key. According to my > researches on the net and on the gnupg.org site, there's no way to do > this though. > > Can anyone confirm this? You can't do it without importing the key, but you can sort of fake what you want. Do something like: gpg --no-default-keyring --keyring ./tempkeyring.gpg --import (thekey) gpg --no-default-keyring --keyring ./tempkeyring.gpg --encrypt ...... rm tempkeyring.gpg David From mwood at IUPUI.Edu Wed Apr 13 17:12:23 2005 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Wed Apr 13 17:56:59 2005 Subject: OpenPGP Smartcard Advantages In-Reply-To: <874qec8mhv.fsf@wheatstone.g10code.de> References: <20050411170810.GA4266@charter.net> <874qec8mhv.fsf@wheatstone.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That reminds me: would someone please point me to a thorough discussion of why I should be able to trust a smartcard, given that an untrusted computer has complete control of the channel between me and my card. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFCXTbes/NR4JuTKG8RAvgKAJ9fF/iumhEFBJRd13b7ogTYRJwGXQCgoczw TOShHOEFPwaJuCzZN4BlKP8= =cgog -----END PGP SIGNATURE----- From christian.rank at rz.uni-passau.de Thu Apr 14 08:20:13 2005 From: christian.rank at rz.uni-passau.de (Christian Rank) Date: Thu Apr 14 08:16:13 2005 Subject: OpenPGP card and BasicCard In-Reply-To: <87ekdf3ucf.fsf@wheatstone.g10code.de> References: <425CC568.3000800@rz.uni-passau.de> <87ekdf3ucf.fsf@wheatstone.g10code.de> Message-ID: <425E0B9D.8010804@rz.uni-passau.de> Werner Koch wrote: > On Wed, 13 Apr 2005 09:08:24 +0200, Christian Rank said: > >>according to a notice at www.basiccard.com, the BasicCard manufactured >>by ZeitControl cardsystems GmbH should support the OpenPGP smartcard >>specification. Are the OpenPGP cards sold by kernelconcepts.de such >>BasicCards? > > The cards are build upon the Basiccard OS but they are not a freely > programmable Basiccard. Note, that Zeitcontrol's cards with RSA > encryption are not available to end users (probably due to fear of > litigation coming from pay TV companies; those using the security by > litigation crypto algorithm). So the OpenPGP cards are ZeitControls's BasicCards with RSA encryption and the OpenPGP application loaded and put in state 'RUN' (no further programming of the card possible)? What I'm missing from the OpenPGP card is the ability to load a PCKS#15 structure on the card. This would make it possible to use this card not only for signing and encryption, but also for WWW authentication with client certificates. Is something like that planned in the future? Regards, Christian -- Dr. Christian Rank Rechenzentrum Universit?t Passau Innstr. 33 D-94032 Passau GERMANY Tel.: 0851/509-1838 Fax: 0851/509-1802 PGP public key see http://www.rz.uni-passau.de/mitarbeiter/rank From wk at gnupg.org Thu Apr 14 20:01:55 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 14 20:01:41 2005 Subject: OpenPGP card and BasicCard In-Reply-To: <425E0B9D.8010804@rz.uni-passau.de> (Christian Rank's message of "Thu, 14 Apr 2005 08:20:13 +0200") References: <425CC568.3000800@rz.uni-passau.de> <87ekdf3ucf.fsf@wheatstone.g10code.de> <425E0B9D.8010804@rz.uni-passau.de> Message-ID: <871x9dxmng.fsf@wheatstone.g10code.de> On Thu, 14 Apr 2005 08:20:13 +0200, Christian Rank said: > So the OpenPGP cards are ZeitControls's BasicCards with RSA encryption > and the OpenPGP application loaded and put in state 'RUN' (no further > programming of the card possible)? Exactly. > What I'm missing from the OpenPGP card is the ability to load a PCKS#15 > structure on the card. This would make it possible to use this card not No way. There is a reason why we did this simple design. pkcs#15 is a compex thing with a lot of incompatibilities between implementations. > only for signing and encryption, but also for WWW authentication with > client certificates. Is something like that planned in the future? There is a vague plan of writing a pkcs#11 library using the card as actual crypto token. Most likely this library will speak to scdaemon via gpg-agent and thus support a variety of cards - including native pkcs#15 cards. AFAIK, there is pkcs#15 emulation code in OpenSC for our card. Not sure whether it is still functional; Olaf Kirch once wrote it and told me that he succeeded in using the card. Salam-Shalom, Werner From smfabac at att.net Fri Apr 15 06:43:30 2005 From: smfabac at att.net (Steve M. Fabac, Jr.) Date: Fri Apr 15 06:39:58 2005 Subject: Need help exchanging keys with PGP 6.5.2 on AIX Message-ID: <425F4672.136CEBA3@att.net> I have not been successful in exchanging encrypted messages between PGP 6.5.2 on AIX and GnuPG 1.4.1. I am still learning with GnuPG and the curve is steep. The FAQ has suggestions for Encrypting messages with GnuPG for decryption with PGP, but no section on how to generate compatible public/private keys for exchange with PGP 6.5.2 on the AIX system. My first attempt to run gpg --gen-key and exchanging the public key with the AIX administrator resulted in > [smf] unix!/u/smf/test $ gpg --decrypt testfile.txt.pgp | head > gpg: [don't know]: invalid packet (ctb=6f) when I tried to decrypt the test message. Then I tried > gpg --pgp6 --gen-key and specified (1) DSA and Elgamal (default) and DSA key pair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 1024 After sending the resulting public key to the AIX administrator, decrypting the test message resulted in: [smf] unix!/u/smf $ gpg --pgp6 --decrypt testfile.txt.pgp > bob gpg: mpi too large (57092 bits) and [smf] unix!/u/smf $ gpg --decrypt testfile.txt.pgp > bob gpg: mpi too large (57092 bits) What should I try next? -- Steve Fabac S.M. Fabac & Associates 816/765-1670 From christian.rank at rz.uni-passau.de Fri Apr 15 07:45:23 2005 From: christian.rank at rz.uni-passau.de (Christian Rank) Date: Fri Apr 15 07:41:21 2005 Subject: OpenPGP card and BasicCard In-Reply-To: <871x9dxmng.fsf@wheatstone.g10code.de> References: <425CC568.3000800@rz.uni-passau.de> <87ekdf3ucf.fsf@wheatstone.g10code.de> <425E0B9D.8010804@rz.uni-passau.de> <871x9dxmng.fsf@wheatstone.g10code.de> Message-ID: <425F54F3.1090804@rz.uni-passau.de> Werner Koch wrote: > On Thu, 14 Apr 2005 08:20:13 +0200, Christian Rank said: >>only for signing and encryption, but also for WWW authentication with >>client certificates. Is something like that planned in the future? > > > There is a vague plan of writing a pkcs#11 library using the card as > actual crypto token. Most likely this library will speak to scdaemon > via gpg-agent and thus support a variety of cards - including native > pkcs#15 cards. This sounds very promising ... > AFAIK, there is pkcs#15 emulation code in OpenSC for our card. Not > sure whether it is still functional; Olaf Kirch once wrote it and told > me that he succeeded in using the card. The current PKCS#15 emulation for the OpenPGP card is for version 1.0 and is read-only, so you can't load PKCS#15 data structures on the card (I tried it myself without success). I also tried encryption and signing operations without success, but that may be due to the fact that I have an OpenPGP card version 1.1, while the OpenSC support is for version 1.0. Regards, Christian -- Dr. Christian Rank Rechenzentrum Universit?t Passau Innstr. 33 D-94032 Passau GERMANY Tel.: 0851/509-1838 Fax: 0851/509-1802 PGP public key see http://www.rz.uni-passau.de/mitarbeiter/rank From kippenberg at web.de Fri Apr 8 08:49:09 2005 From: kippenberg at web.de (Thomas Kippenberg) Date: Fri Apr 15 18:48:33 2005 Subject: WinPT on Windows NT problem Message-ID: <1811798784@web.de> > WinPT supports all Windows versions (95 limited). The problem is that some > OS components are too old. This is also a problem for other programs and > not just WinPT. If you update the Internet Explorer, you will get a newer > version of the needed components. You can also use the MS update site to > get a recent version. After updating to IE6.0SP1 (which is the latest available version for WinNT) and applying all available patches, the version of SHELL32.dll is still 4.00. Perhaps WinNT should be added to the list of systems which are not supported :-( Thomas ______________________________________________________________ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193 From R.VRenterghem at mac.com Mon Apr 11 11:25:43 2005 From: R.VRenterghem at mac.com (Raphael Van Renterghem) Date: Fri Apr 15 18:48:38 2005 Subject: After installing the new release. Message-ID: Hello, I am sorry to ask one question that could be a bit silly for an expert like you... I have installed GnuPG 1.4.1 like an angel, but I am little worry about something. Do I need to revoke my previous key, generate new one and then publish it to the key server with this release? Many thanks, Raf. From harry_b at eml.cc Mon Apr 11 23:10:00 2005 From: harry_b at eml.cc (Harry Brueckner) Date: Fri Apr 15 18:48:41 2005 Subject: GPGME and Debian In-Reply-To: <87r7hhkwi1.wl@ulysses.g10code.de> References: <87fyxxct4x.fsf@wheatstone.g10code.de> <87r7hhkwi1.wl@ulysses.g10code.de> Message-ID: <425AE7A8.9090302@eml.cc> Hi Marcus, Marcus Brinkmann wrote: >> 2. I compiled t-encrypt-sign.c manually and linked it against my >> systems library running the command >> 'gcc -lgpgme t-encrypt-sign.c -o t-encrypt-sign' >> >> > >You need -D_FILE_OFFSET_BITS=64. I past the relevant section of the >manual below. > >This is a FQ, we probably should have a FAQ. > > Thanks for your reply. The setting of -D_FILE_OFFSET_BITS=64 fixes this problem. I do use autoconf and also call 'gpgme-config' to find out which CFLAGS I need. Shouldn't this be returned by 'gpgme-config --cflags'? One more question which I couldn't find any answer for so far - is there a way to get the keys a file is encrypted for? gpg shows this information right before it shows the decrypted data and also with '--list-only'. Maybe you can help me find an answer for this issue as well? Thanks alot for your help!! Harry From r01 at rossbergs.com Thu Apr 14 09:49:17 2005 From: r01 at rossbergs.com (Johan) Date: Fri Apr 15 18:48:42 2005 Subject: PGP or GnuPG Message-ID: <3291.217.208.33.41.1113464957.squirrel@webmail.levonline.com> Hello, I am trying to decide if I should use GnuPG or PGP and I got confused when I read point nine in the PGP whitepaper "http://download.pgp.com/pdfs/whitepapers/Top10_Why-PGP_050105_FL.pdf". To me this say that "easy data recovery" is only a matter of money. Am I right or where can I read about how ADK and key reconstruction etc actually works. Best regards, Johan From dshaw at jabberwocky.com Fri Apr 15 19:06:26 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Apr 15 19:03:31 2005 Subject: After installing the new release. In-Reply-To: References: Message-ID: <20050415170626.GA27995@jabberwocky.com> On Mon, Apr 11, 2005 at 10:25:43AM +0100, Raphael Van Renterghem wrote: > Hello, > > I am sorry to ask one question that could be a bit silly for an expert > like you... > > I have installed GnuPG 1.4.1 like an angel, but I am little worry about > something. > Do I need to revoke my previous key, generate new one and then publish > it to the key server with this release? No, you can keep using your current key. No problem. David From cwsiv at keepandbeararms.com Fri Apr 15 19:14:09 2005 From: cwsiv at keepandbeararms.com (Carl William Spitzer IV) Date: Fri Apr 15 19:10:58 2005 Subject: OpenPGP Message Encryption in JavaScript In-Reply-To: <003301c530c2$414b74e0$f500a8c0@HOME> References: <003301c530c2$414b74e0$f500a8c0@HOME> Message-ID: <1113584591.4409.0.camel@linux.site> On Thu, 2005-03-24 at 14:38, Kiefer, Sascha wrote: > Hi. > > I just found this website: http://www.hanewin.de/encrypt/main.htm > I think it's pretty nice. > Would do you think about it? > Definitely looks like fun. Perhaps one day it will be simplified to run as a CGI program so all form mail can be private. CWSIV From wren at hunt.org Fri Apr 15 17:26:55 2005 From: wren at hunt.org (J. Wren Hunt) Date: Fri Apr 15 21:24:01 2005 Subject: PGP or GnuPG In-Reply-To: <3291.217.208.33.41.1113464957.squirrel__37259.7960209989$1113584344$gmane$org@webmail.levonline.com> References: <3291.217.208.33.41.1113464957.squirrel__37259.7960209989$1113584344$gmane$org@webmail.levonline.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Johan wrote: | Hello, | | I am trying to decide if I should use GnuPG or PGP and I got confused when | I read point nine in the PGP whitepaper | "http://download.pgp.com/pdfs/whitepapers/Top10_Why-PGP_050105_FL.pdf". To | me this say that "easy data recovery" is only a matter of money. Am I | right or where can I read about how ADK and key reconstruction etc | actually works. | | Best regards, | Johan IIRC the online help for PGP 8.x (licensed or freeware) has a pretty good section on ADK. Note that you would have to explicitly specify this type of key setup in order to get the key reconstruction capabilities - it's important to note that it's not the default action. You're not going to be able to take your data to a data recovery shop and pay them big $$$ to "reconstruct" a key if you don't already have the prerequisite # of key shares. Wren -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCX90+A/qR4Uok1vQRA7Y5AJ9gvk3nTFIeuljp+hj3TeRgktGa2wCdGObF CsuROdT/dHOwoZvxjGDvDBE= =tREA -----END PGP SIGNATURE----- From wk at gnupg.org Fri Apr 15 21:57:39 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Apr 15 21:56:40 2005 Subject: OpenPGP card and BasicCard In-Reply-To: <425F54F3.1090804@rz.uni-passau.de> (Christian Rank's message of "Fri, 15 Apr 2005 07:45:23 +0200") References: <425CC568.3000800@rz.uni-passau.de> <87ekdf3ucf.fsf@wheatstone.g10code.de> <425E0B9D.8010804@rz.uni-passau.de> <871x9dxmng.fsf@wheatstone.g10code.de> <425F54F3.1090804@rz.uni-passau.de> Message-ID: <878y3ju824.fsf@wheatstone.g10code.de> On Fri, 15 Apr 2005 07:45:23 +0200, Christian Rank said: > operations without success, but that may be due to the fact that I have > an OpenPGP card version 1.1, while the OpenSC support is for version 1.0. That does not better. The changes in 1.1 are: 4 new data objtecs - OpenSC does not know about this such they can't disturb. The public key may now be readout without presenting CHV3 first - it doesn't matter if you present it anyway. So I can't see a reason why 1.1 should make any difference. Salam-Shalom, Werner From erpo41 at hotpop.com Sat Apr 16 09:24:35 2005 From: erpo41 at hotpop.com (Erpo) Date: Sat Apr 16 09:18:20 2005 Subject: XY cromosomas In-Reply-To: <200504072041.19378.ochominutosdearco@gmail.com> References: <200504072041.19378.ochominutosdearco@gmail.com> Message-ID: <1113636275.6233.12.camel@localhost.localdomain> On Thu, 2005-04-07 at 20:41 +0200, H wrote: > Is that forced in this case? is not enogh to be sure about her identity? I am > forbide to sign by the gpg rules? There are no hard and fast technical "gpg rules" that specify when you should and should not sign someone else's key. If you sign a key when you shouldn't, or if you don't sign a key when you should, the system is not likely to come crashing down. The very worst that can happen is that someone will believe that you have bad key signing judgement and decide to trust you less. The simple explanation is that when you sign someone's key, you are saying that the information attached to the key describes the person who holds the associated secret key. So if the key is associated with the name "Clare Apellido" or just "Clare" and you know that the key belongs to someone with that name, you can go ahead and sign the key. If the key has a photo ID attached, so much the better. Eric From atom at smasher.org Sat Apr 16 09:27:59 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Apr 16 09:23:51 2005 Subject: Encrypt with public key from stdin/file possible? In-Reply-To: <20050413150739.GA13198@jabberwocky.com> References: <20050413150739.GA13198@jabberwocky.com> Message-ID: <20050416072756.65240.qmail@smasher.org> On Wed, 13 Apr 2005, David Shaw wrote: >On Wed, Apr 13, 2005 at 02:19:04PM +0200, Sargon wrote: >> I have a public key of a recipient in ASCII or binary form and would >> like to feed gpg w/o importing it first in its public keyring and >> afterwards specify the ID of the public key. According to my researches >> on the net and on the gnupg.org site, there's no way to do this though. >> >> Can anyone confirm this? > > You can't do it without importing the key, but you can sort of fake what > you want. Do something like: > > gpg --no-default-keyring --keyring ./tempkeyring.gpg --import (thekey) > gpg --no-default-keyring --keyring ./tempkeyring.gpg --encrypt ...... > rm tempkeyring.gpg ============== there's a better way to fake it... let's say you want to encrypt a message to me, and have my key in a binary file "D9F57808.key": gpg --no-default-keyring --keyring /path/to/D9F57808.key -er D9F57808 you may want to add "--trust-model always" to the command. this only works with binary, not ascii, key files. keys in ascii would have to be converted into binary, or use the import method described by david. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Because, it isn't just a stupid little mistake, Ok? You have to understand Coke's business. How does Coke make money?" "They sell syrup to bottlers." "Right. And...." "And?" "And they license the rights to print their corporate art on the cans and bottles to those bottlers. So what are those bottlers going to say after finding out they've been paying twelve years worth of licensing fees for a fraudulent copyright?" -- Bob Kolody, explaining the implications of his suit against Coca-Cola http://www.guerrillanews.com/cocakarma/ From ochominutosdearco at gmail.com Sun Apr 17 00:41:06 2005 From: ochominutosdearco at gmail.com (H) Date: Sun Apr 17 00:37:39 2005 Subject: XY cromosomas In-Reply-To: <1113636275.6233.12.camel@localhost.localdomain> References: <200504072041.19378.ochominutosdearco@gmail.com> <1113636275.6233.12.camel@localhost.localdomain> Message-ID: <200504170041.11191.ochominutosdearco@gmail.com> Ok, thank you for the help. El S?bado, 16 de Abril de 2005 09:24, Erpo escribi?: > On Thu, 2005-04-07 at 20:41 +0200, H wrote: > > Is that forced in this case? is not enogh to be sure about her identity? > > I am forbide to sign by the gpg rules? > > There are no hard and fast technical "gpg rules" that specify when you > should and should not sign someone else's key. If you sign a key when > you shouldn't, or if you don't sign a key when you should, the system is > not likely to come crashing down. The very worst that can happen is that > someone will believe that you have bad key signing judgement and decide > to trust you less. > > The simple explanation is that when you sign someone's key, you are > saying that the information attached to the key describes the person who > holds the associated secret key. So if the key is associated with the > name "Clare Apellido" or just "Clare" and you know that the key belongs > to someone with that name, you can go ahead and sign the key. If the key > has a photo ID attached, so much the better. > > > Eric > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- http://h.says.it jabber: h@myjabber.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050417/fb01182d/attachment.pgp From erpo41 at hotpop.com Sat Apr 16 09:51:03 2005 From: erpo41 at hotpop.com (Erpo) Date: Sun Apr 17 04:51:16 2005 Subject: PGP or GnuPG In-Reply-To: <3291.217.208.33.41.1113464957.squirrel@webmail.levonline.com> References: <3291.217.208.33.41.1113464957.squirrel@webmail.levonline.com> Message-ID: <1113637863.6233.36.camel@localhost.localdomain> On Thu, 2005-04-14 at 09:49 +0200, Johan wrote: > Hello, > > I am trying to decide if I should use GnuPG or PGP and I got confused when > I read point nine in the PGP whitepaper > "http://download.pgp.com/pdfs/whitepapers/Top10_Why-PGP_050105_FL.pdf". To > me this say that "easy data recovery" is only a matter of money. Am I > right or where can I read about how ADK and key reconstruction etc > actually works. I'm having a bit of a hard time decyphering your question, but I think I can answer it to some degree. Point 9 does NOT mean that another entity (e.g. a business competitor, system cracker, or government) will be able to decrypt your data if they have a whole lot of money and you're not using a PGP Corporation product. In fact, if you use binary programs from an entity like PGP Corporation instead of open source GPG as part of your security system, you are MORE vulnerable to this kind of attack. It would be much easier for a wealthy attacker to pay off or break the fingers of someone who works for PGP Corporation in order to get a back door inserted into their software than it would be to do the same with GPG. The reason is that you can download and examine the source code of GPG, and then compile this audited code for use in your system. This is the meaning of point 9 according to my interpretation: Suppose there's a company called Alice Corporation that has an employee named Bob. Bob has the only copy of an important document, and it's encrypted with his key. That means Bob is the only one who can decrypt this document. Now suppose that Bob loses his key, or refuses to decrypt the document; this would mean Alice Corporation is in trouble. One way to guard against this possibility is to keep a backup of Bob's private key. Then if Bob refuses to decrypt the document or loses his key, the corporation can still get at it. The essence of point 9 is that the above is a clumsy solution that creates a lot of new problems, and that PGP Corporation's software provides a more refined options for mitigating this risk. However, you'll notice this passage near the end of point 9: "PGP Corporation provides solutions that feature patented Additional Decryption Key (ADK) options [...]" This should set off alarm bells when you read it for two reasons: 1. When you make the choice to use patented software, you put yourself in a position to fall victim to vendor lock-in. With sufficient legal resources, the holder of the patent could prevent other software authors from creating competing software, thus forcing you to stay with the original company, even if the costs of staying with that particular vendor increase and the benefits decrease. 2. When you make the choice to use patented software, especially if you have to pay for the privilege, you make the statement that you support software patents. This is bad for everyone. Now, I should make it plain that I don't know whether or not PGP Corporation enforces this particular patent to the detriment of the general public. However, even if it doesn't, it could change its mind in the future. Hope some of this helps, Eric From jharris at widomaker.com Sun Apr 17 23:42:13 2005 From: jharris at widomaker.com (Jason Harris) Date: Sun Apr 17 23:38:34 2005 Subject: new (2005-04-17) keyanalyze results (+sigcheck) Message-ID: <20050417214212.GO356@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-04-17/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: e21e7501b96eae87f8bfd1c13fbd77984d71b930 11869992 preprocess.keys a32824e2bfeaf23fef5330bc2f9cd849fed9e67b 7475068 othersets.txt 306da5334125698f320f65e90e58d2c89a026d68 3013930 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html caac16c0b5ba9e040b5f2b89f9500bda602cb0d4 2291 keyring_stats e81843d3acd87c13b8f0aa7869928c7b7d960bb2 1185896 msd-sorted.txt.bz2 b6f6b3373215c7a7cf2928675a6477761234f555 26 other.txt c7fd52e6afdc72ac332226de2100310bcece345f 1607650 othersets.txt.bz2 dd08234a7c266b54fee96ea6495b6ec57361257a 4826232 preprocess.keys.bz2 7412080a45f6981e25e1fceef26122e02e456805 11987 status.txt ff856ca310e44a46f57822908a80053c628a0d39 211442 top1000table.html 89eeec826d5e2923cfa8406942d2ddc5f0983892 30355 top1000table.html.gz 4f94061558602bbf7dfe999407f96af3022123e7 10946 top50table.html d5ea1aa85c27442e0d87173d265f18aadc749f0f 2429 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050417/11d79331/attachment.pgp From joerg at schmitz-linneweber.de Mon Apr 18 16:49:57 2005 From: joerg at schmitz-linneweber.de (Joerg Schmitz-Linneweber) Date: Mon Apr 18 17:46:03 2005 Subject: OpenPGP smartcard and crpyto fs Message-ID: <200504181650.03925.joerg@schmitz-linneweber.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all! I would like to use my O.card to securely hold an encryption key to be used by the Linux "crypto filesystem". This fs uses an utiulity "losetup" at startup which asks for a passphrase/keyword to be used as encryption/decryption key. losetup can be configured to use a file descriptor to read this info from a file. OK. Next thing is: I don't want to let the card do all the encryption ;-) (I think it would be a little bit slow... although the key would stay savely inside the card...) Next thing (which works here), was to use a gpg encrypted file containing the passphrase(es) and doing something like "cat ~/.crypto-fs-key.gpg|gpg -q --decrypt -r 0xdeadbeef 2>/dev/null" but one problem was gpg spitting out these "Please insert...." and "PIN" info on stdout, and I'm not very comfortable with my passwords lying around on the disks... (altough they *are* encrypted). What I would like would be to pull out some secret key (or plain data) and handle it over to losetup directly. I know that then the key can no longer be viewed as secure as it leaves the card, but that would be ok for me. Anyone who thought about a scenario like this? TIA. Salut, J?rg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCY8ka/PQgU9f6RRIRAtRLAKCcUWd5bciKrlgBoYbkqZIMyXO9iQCeNq5J puPvoTIxUYDv9BA4BD1B+X8= =aqrB -----END PGP SIGNATURE----- From adam00f at ducksburg.com Mon Apr 18 18:11:10 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Mon Apr 18 18:07:27 2005 Subject: Revocation certificate still valid after changing subkeys? Message-ID: <200504181611.j3IGBAw25235@Porthos.co.umist.ac.uk> When I created my keypair I dutifully created and safely stored a revocation certificate for it. I recently added a new subkey and revoked the old subkey (as discussed on this list). I've also added and revoked a few UIDs since the key was created. Is there any reason to generate a new revocation certificate? Or does it apply directly to the master key only? Thanks, Adam From dshaw at jabberwocky.com Mon Apr 18 18:18:35 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Apr 18 18:15:16 2005 Subject: Revocation certificate still valid after changing subkeys? In-Reply-To: <200504181611.j3IGBAw25235@Porthos.co.umist.ac.uk> References: <200504181611.j3IGBAw25235@Porthos.co.umist.ac.uk> Message-ID: <20050418161835.GC13684@jabberwocky.com> On Mon, Apr 18, 2005 at 05:11:10PM +0100, Adam Funk wrote: > When I created my keypair I dutifully created and safely stored a > revocation certificate for it. > > I recently added a new subkey and revoked the old subkey (as discussed > on this list). I've also added and revoked a few UIDs since the key > was created. > > Is there any reason to generate a new revocation certificate? Or does > it apply directly to the master key only? It applies to the master key only. You do not need to generate a new revocation certificate. Revoking the master key takes out all UIDs and subkeys in one step. David From patrick at fexl.com Tue Apr 19 00:39:34 2005 From: patrick at fexl.com (Patrick Chkoreff) Date: Tue Apr 19 01:14:19 2005 Subject: Retrieving signature from message that was encrypted and signed in one step Message-ID: <312cdb4adbf2b64ba9103be86f5987a8@fexl.com> I have a message that was encrypted and signed in one step. When I decrypt it, I can read the message and see that the signature is valid. So far so good. I would now like to relay this message to a third party so he can verify the signature too. But as far as I know, GPG has no way to do this. Can GPG do this? If not, why not? Is this lack of ability actually a feature? I suppose it could be a feature, because this gives the sender a way to prove to ME that he signed something, without giving me a way to prove that to anyone else. Is that the reason why what I want to do is not possible with GPG? Thanks, Patrick From atom at smasher.org Tue Apr 19 02:10:18 2005 From: atom at smasher.org (Atom Smasher) Date: Tue Apr 19 02:06:07 2005 Subject: Retrieving signature from message that was encrypted and signed in one step In-Reply-To: <312cdb4adbf2b64ba9103be86f5987a8@fexl.com> References: <312cdb4adbf2b64ba9103be86f5987a8@fexl.com> Message-ID: <20050419001014.43106.qmail@smasher.org> On Mon, 18 Apr 2005, Patrick Chkoreff wrote: > I have a message that was encrypted and signed in one step. When I > decrypt it, I can read the message and see that the signature is valid. > So far so good. > > I would now like to relay this message to a third party so he can verify > the signature too. But as far as I know, GPG has no way to do this. > > Can GPG do this? If not, why not? Is this lack of ability actually a > feature? I suppose it could be a feature, because this gives the sender > a way to prove to ME that he signed something, without giving me a way > to prove that to anyone else. > > Is that the reason why what I want to do is not possible with GPG? =================== there's no reason it can't be done, but i don't know of any application that can do it. for now, the only way to do it is to extract the session key from the message (--show-session-key) and send that along with the encrypted message to your 3rd party. they can use "--override-session-key" to decrypt the message and verify the signature. in most cases the session key should be encrypted (to your 3rd party), because anyone who gets a hold of the session key can read the message. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The Final Act of the Uruguay Round, marking the conclusion of the most ambitious trade negotiation of our century, will give birth - in Morocco - to the World Trade Organization, the third pillar of the New World Order, along with the United Nations and the International Monetary Fund." -- Part of full-page advertisement by the government of Morocco in The New York Times (April 1994) From patrick at fexl.com Tue Apr 19 06:07:23 2005 From: patrick at fexl.com (Patrick Chkoreff) Date: Tue Apr 19 06:03:37 2005 Subject: Retrieving signature from message that was encrypted and signed in one step In-Reply-To: <20050419001014.43106.qmail@smasher.org> References: <312cdb4adbf2b64ba9103be86f5987a8@fexl.com> <20050419001014.43106.qmail@smasher.org> Message-ID: On Apr 18, 2005, at 8:10 PM, Atom Smasher wrote: > for now, the only way to do it is to extract the session key from the > message (--show-session-key) and send that along with the encrypted > message to your 3rd party. they can use "--override-session-key" to > decrypt the message and verify the signature. How neat, thanks for the pointer. Fortunately I do not intend to use this feature routinely, it would only be for rare cases where a dispute might arise. But yes, the feature does work as you describe. For example: % gpg --show-session-key " > in most cases the session key should be encrypted (to your 3rd party), > because anyone who gets a hold of the session key can read the > message. Sure, I would have the option of disclosing the session key to anyone or everyone. Thanks again! Best Regards, Patrick From folkert at vanheusden.com Tue Apr 19 10:55:07 2005 From: folkert at vanheusden.com (folkert@vanheusden.com) Date: Tue Apr 19 11:54:12 2005 Subject: fixing a corrup keyring Message-ID: <20050419085505.GB30729@vanheusden.com> Hi, I have a keyring with quiet a few keys (thousands) and now something is wrong with it: gpg --list-keys gives gpg: Ohhhh jeeee: mpi crosses packet border secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 Aborted after a while. How can I fix this keychain? Are there any automatic tools? Folkert van Heusden Auto te koop, zie: http://www.vanheusden.com/daihatsu.php Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. -------------------------------------------------------------------- UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) a try, it brings monitoring logfiles to a different level! See http://vanheusden.com/multitail/features.html for a feature-list. -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20050419/7d220395/attachment.pgp From DBSMITH at OhioHealth.com Tue Apr 19 17:27:17 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Tue Apr 19 17:23:16 2005 Subject: multiple files for version below 1.2.5 Message-ID: I am trying to decrypt 2 files on a UNIX machine with: var=/data/files file=file_that_has_my_passphrase p='- -passphrase-fd-0' outp='- -output' de='- -decrypt' dec=file for i in $var do cat $file |gpg $p $de $outp $dec.$$ $i sleep 1 done and the error I get is Sorry no terminal at all requested - cat get input. I looked in the archives and saw the - -multifile option but I am on version 1.2.1 for AIX 5.2 here is my conf file no-tty no-secmem-warning no-mdc-warning Any ideas? thanks Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams From swright at physics.adelaide.edu.au Tue Apr 19 17:47:23 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Tue Apr 19 17:45:14 2005 Subject: multiple files for version below 1.2.5 In-Reply-To: References: Message-ID: <20050419154723.GJ4968@anl.gov> G'day DBSMITH, * DBSMITH@OhioHealth.com [050419 10:37]: > I am trying to decrypt 2 files on a UNIX machine with: > > var=/data/files > file=file_that_has_my_passphrase > p='- -passphrase-fd-0' > outp='- -output' > de='- -decrypt' > dec=file > > > for i in $var > do > cat $file |gpg $p $de $outp $dec.$$ $i > sleep 1 > done > > and the error I get is > Sorry no terminal at all requested - cat get input. Hint 1: Use echo to help you debug - i.e. echo cat $file echo gpg ...... That way you can see what your script is _trying_ to do, not what you want it to do. Questions: What are you trying to do? Decrypt all the files in the directory "/data/files" ? This script won't do that. You are passing "/data/files" to GnuPG, not a list of the files IN that directory. (You will see this when you use the echo hint above.) If you want all of the files inside /data/files, set var=/data/files/* and that should work. Hint 2: I find it useful (others will disagree) to put brackets around my variables to let the shell be sure what I want it to do... So the line: for i in $var would become for i in ${var} Then there is no confusion when you want to do something like ${var}stuff However that is an aside. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: not available Url : /pipermail/attachments/20050419/31ee14f8/attachment.pgp From DBSMITH at OhioHealth.com Tue Apr 19 18:31:25 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Tue Apr 19 18:27:26 2005 Subject: multiple files for version below 1.2.5 In-Reply-To: <20050419154723.GJ4968@anl.gov> Message-ID: Stewart, I am trying to decrypt more than one file if ls -la |wc -l /dir is -gt one. Thanks for the tips, but my $var variable actually contains both file names like so: for i in $var do echo $i done /psofthr/hr88prd/intf/aflac/inbound/filename1 /psofthr/hr88prd/intf/aflac/inbound/filename2 so I am ok there, but when I placed the echo infront of the gpg string I found that the same PID is being used. gpg --passphrase-fd 0 --decrypt --output /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH.gpg.319548 /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH_20050324.TXT.pgp gpg --passphrase-fd 0 --decrypt --output /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH.gpg.319548 /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH_20050408.TXT.pgp Finally, in the decryption process you need two uniq filenames b/c there are two decryption processes which is why I used $$. gpg $p $de $outp $dec.$$ $i Anyone more ideas? thank you, Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams "Stewart V. Wright" gnupg-users@gnupg.org Sent by: cc gnupg-users-bounc es@gnupg.org Subject Re: multiple files for version below 1.2.5 04/19/2005 11:47 AM G'day DBSMITH, * DBSMITH@OhioHealth.com [050419 10:37]: > I am trying to decrypt 2 files on a UNIX machine with: > > var=/data/files > file=file_that_has_my_passphrase > p='- -passphrase-fd-0' > outp='- -output' > de='- -decrypt' > dec=file > > > for i in $var > do > cat $file |gpg $p $de $outp $dec.$$ $i > sleep 1 > done > > and the error I get is > Sorry no terminal at all requested - cat get input. Hint 1: Use echo to help you debug - i.e. echo cat $file echo gpg ...... That way you can see what your script is _trying_ to do, not what you want it to do. Questions: What are you trying to do? Decrypt all the files in the directory "/data/files" ? This script won't do that. You are passing "/data/files" to GnuPG, not a list of the files IN that directory. (You will see this when you use the echo hint above.) If you want all of the files inside /data/files, set var=/data/files/* and that should work. Hint 2: I find it useful (others will disagree) to put brackets around my variables to let the shell be sure what I want it to do... So the line: for i in $var would become for i in ${var} Then there is no confusion when you want to do something like ${var}stuff However that is an aside. Cheers, S. (See attached file: att4gqr9.dat) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: att4gqr9.dat Type: application/octet-stream Size: 282 bytes Desc: not available Url : /pipermail/attachments/20050419/94dedbd5/att4gqr9-0001.obj From swright at physics.adelaide.edu.au Tue Apr 19 18:39:32 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Tue Apr 19 18:37:23 2005 Subject: multiple files for version below 1.2.5 In-Reply-To: References: <20050419154723.GJ4968@anl.gov> Message-ID: <20050419163932.GK4968@anl.gov> G'day Derek, * DBSMITH@OhioHealth.com [050419 11:31]: > Stewart, > I am trying to decrypt more than one file if ls -la |wc -l /dir is -gt one. > Thanks for the tips, but my $var variable actually contains both file names > like so: > > for i in $var > do > echo $i > done > > /psofthr/hr88prd/intf/aflac/inbound/filename1 > /psofthr/hr88prd/intf/aflac/inbound/filename2 > > so I am ok there, What shell are you using? > but when I placed the echo infront of the gpg string I > found that the same PID is being used. > > gpg --passphrase-fd 0 --decrypt --output > /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH.gpg.319548 > /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH_20050324.TXT.pgp > gpg --passphrase-fd 0 --decrypt --output > /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH.gpg.319548 > /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH_20050408.TXT.pgp > > Finally, in the decryption process you need two uniq filenames b/c there > are two decryption processes which is why I used $$. > > gpg $p $de $outp $dec.$$ $i > > Anyone more ideas? thank you, At the start of your program put i=0 Inside the loop put something like i=`expr $i + 1` and then use ${i} as the unique filename addition. However... This is _not_ what the error was that you sent in your initial email: > and the error I get is > Sorry no terminal at all requested - cat get input. The above fix won't fix this error unless I'm missing the point entirely. Cheers, S. P.S. Please don't bother replying to me and the mailing list... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: not available Url : /pipermail/attachments/20050419/0d5ad6e8/attachment.pgp From DBSMITH at OhioHealth.com Tue Apr 19 19:00:21 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Tue Apr 19 18:56:14 2005 Subject: multiple files for version below 1.2.5 In-Reply-To: Message-ID: Never mind I got it to work. Since I need two unique decrypted file names I said: x=0 count=`ls -la /data/files|wc -l` if count -gt 1 then until x -eq count do for i in $/data/files do encryption with my output file with a suffix of .$x sleep 1 let x+=1 done done else encrypt one file fi Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams 614-566-4145 DBSMITH@OhioHealt h.com Sent by: To gnupg-users-bounc "Stewart V. Wright" es@gnupg.org cc gnupg-users@gnupg.org, 04/19/2005 12:31 gnupg-users-bounces@gnupg.org PM Subject Re: multiple files for version below 1.2.5 Stewart, I am trying to decrypt more than one file if ls -la |wc -l /dir is -gt one. Thanks for the tips, but my $var variable actually contains both file names like so: for i in $var do echo $i done /psofthr/hr88prd/intf/aflac/inbound/filename1 /psofthr/hr88prd/intf/aflac/inbound/filename2 so I am ok there, but when I placed the echo infront of the gpg string I found that the same PID is being used. gpg --passphrase-fd 0 --decrypt --output /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH.gpg.319548 /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH_20050324.TXT.pgp gpg --passphrase-fd 0 --decrypt --output /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH.gpg.319548 /psofthr/hr88prd/intf/aflac/inbound/OHIO_HEALTH_20050408.TXT.pgp Finally, in the decryption process you need two uniq filenames b/c there are two decryption processes which is why I used $$. gpg $p $de $outp $dec.$$ $i Anyone more ideas? thank you, Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams "Stewart V. Wright" gnupg-users@gnupg.org Sent by: cc gnupg-users-bounc es@gnupg.org Subject Re: multiple files for version below 1.2.5 04/19/2005 11:47 AM G'day DBSMITH, * DBSMITH@OhioHealth.com [050419 10:37]: > I am trying to decrypt 2 files on a UNIX machine with: > > var=/data/files > file=file_that_has_my_passphrase > p='- -passphrase-fd-0' > outp='- -output' > de='- -decrypt' > dec=file > > > for i in $var > do > cat $file |gpg $p $de $outp $dec.$$ $i > sleep 1 > done > > and the error I get is > Sorry no terminal at all requested - cat get input. Hint 1: Use echo to help you debug - i.e. echo cat $file echo gpg ...... That way you can see what your script is _trying_ to do, not what you want it to do. Questions: What are you trying to do? Decrypt all the files in the directory "/data/files" ? This script won't do that. You are passing "/data/files" to GnuPG, not a list of the files IN that directory. (You will see this when you use the echo hint above.) If you want all of the files inside /data/files, set var=/data/files/* and that should work. Hint 2: I find it useful (others will disagree) to put brackets around my variables to let the shell be sure what I want it to do... So the line: for i in $var would become for i in ${var} Then there is no confusion when you want to do something like ${var}stuff However that is an aside. Cheers, S. (See attached file: att4gqr9.dat) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users (See attached file: att4gqr9.dat) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: att4gqr9.dat Type: application/octet-stream Size: 282 bytes Desc: not available Url : /pipermail/attachments/20050419/7fdb3003/att4gqr9.obj From adam00f at ducksburg.com Tue Apr 19 21:34:26 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Tue Apr 19 21:30:21 2005 Subject: Revocation certificate still valid after changing subkeys? In-Reply-To: References: Message-ID: <200504192034.27910.adam00f@ducksburg.com> > It applies to the master key only. You do not need to generate a new > revocation certificate. Revoking the master key takes out all UIDs > and subkeys in one step. That's what I suspected. Thanks, Adam From neuhaus at imfl.de Wed Apr 20 00:16:42 2005 From: neuhaus at imfl.de (Philipp Neuhaus) Date: Wed Apr 20 01:12:31 2005 Subject: Rescue secring Message-ID: <4265834A.8090000@imfl.de> Hi, my reiserfs partition crashed and I do not have any backup (or revokation) of one of my keys. I tried to find the secring with hexedit and I found some data. But gpg --import always says "gpg: no valid OpenPGP data found. gpg: Total number processed: 0" Does gpg have a fault-tolerant mode or do you know about any keyringtool that may repair my dumps? Thanks Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050420/461bf485/signature.pgp From sascha-ml-cryptography-gnupg-users at silbe.org Wed Apr 20 14:17:31 2005 From: sascha-ml-cryptography-gnupg-users at silbe.org (Sascha Silbe) Date: Wed Apr 20 15:14:21 2005 Subject: importing large keyring Message-ID: <20050420121731.GA6386@cube.sascha.silbe.org> Hi! Recently (somewhere around the update from gnupg 1.2.x to 1.4.x) my keyring got corrupted: sascha@cube:~$ gpg --export > /dev/null gpg: buffer shorter than subpacket gpg: signature packet without timestamp gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket [...] However, most of the keys are still OK, so I'd like to use the output of "gpg --export" to re-create the keyring. The keyring is rather large (70MB) and after importing several thousand keys gpg uses more memory than is available as physical RAM, so it's continously swapping. After 2 days without significant progress I've aborted the import. Is there a way to split up the keydump into chunks of some thousand keys, so I can process those one after another? CU Sascha -- http://sascha.silbe.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : /pipermail/attachments/20050420/ab111d58/attachment.pgp From wk at gnupg.org Wed Apr 20 15:16:09 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Apr 20 15:16:47 2005 Subject: OpenPGP Smartcard with Cygwin In-Reply-To: <424C072D.8010601@smilde-becker.net> (Peter L. Smilde's message of "Thu, 31 Mar 2005 16:20:29 +0200") References: <424C072D.8010601@smilde-becker.net> Message-ID: <87ekd5k2qu.fsf@wheatstone.g10code.de> On Thu, 31 Mar 2005 16:20:29 +0200, Peter L Smilde said: > I tried installing pcsc-lite from their website, but this only installs > a libpcsclite.a and libpcsclite.la. > How do I get the Smartcard working under Cygwin? I found no information > on this topic (OpenPGP smartcard cygwin) in the web. You may want to try the option --pcsc-driver winscard.dll Not sure whether this works. Better use a plain gpg build for Windows. > Under Windows itself the OpenPGP card works fine. (Except, that when no > card is inserted in the (SCR335) card reader while signing an error > window pops up telling that "Die Anweisung in 0x7c9211de" veweist auf > Speicher in "0x00000000" Der Vorgang "read" konnte nicht auf dem I have done some debugging and it seems that it is indeed a driver problem. Salam-Shalom, Werner From azak at infinitesoft.com Wed Apr 20 16:02:24 2005 From: azak at infinitesoft.com (Alan Zak) Date: Wed Apr 20 16:38:27 2005 Subject: GNUPG library for C#? In-Reply-To: <87ekd5k2qu.fsf@wheatstone.g10code.de> Message-ID: <000f01c545b1$95afedf0$6719a8c0@headquarters.infinitesoft.com> Hello, I am new to C# coding. I have managed to create a console application which opens a process (ProcessStartInfo, etc) to run the gpg.exe with a given set of arguments. I would love to be able to eliminate the usage of the EXE, and instead integrate GPG's functionality in the form of a DLL or COM object. I've scoured the web via Teoma and Google, and have found a few references to people who have written their own "wrappers" to incorporate GPG functionality without reliance on the EXE. Unfortunately these led to dead or stale links, and further I have never created my own wrapper in the way these folks describe. If I might find this info by searching the archives please let me know, otherwise if someone could please direct me to some helpful info I would be most appreciative. Thank you! -- Alan From wk at gnupg.org Wed Apr 20 17:12:21 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Apr 20 17:11:52 2005 Subject: Error at "bag.attributes" importing key from freemail cert into gpgsm In-Reply-To: <200504071615.30963.nsushkin@sushkins.net> (Nicholas Sushkin's message of "Thu, 7 Apr 2005 16:15:30 -0400") References: <200504071615.30963.nsushkin@sushkins.net> Message-ID: <87r7h5iisq.fsf@wheatstone.g10code.de> On Thu, 7 Apr 2005 16:15:30 -0400, Nicholas Sushkin said: > gpg-protect-tool: encryptedData error at "bag.attributes", offset 2592 > gpg-protect-tool: error at "bag.encryptedData", offset 49 Thanks for the test data. It is a plain bug, here is patch: 2005-04-20 Werner Koch * minip12.c (parse_bag_encrypted_data): Fix the unpadding hack. diff -u -p -r1.5.2.7 minip12.c --- agent/minip12.c 29 Sep 2004 13:50:31 -0000 1.5.2.7 +++ agent/minip12.c 20 Apr 2005 15:18:31 -0000 @@ -587,7 +588,7 @@ parse_bag_encrypted_data (const unsigned /* Ugly hack to cope with the padding: Forget about the rest if that it is less than the cipher's block length. */ - if (n < 8) + if (n <= 8) n = 0; /* Skip the optional SET with the pkcs12 cert attributes. */ @@ -602,7 +603,7 @@ parse_bag_encrypted_data (const unsigned { /* The optional SET. */ p += ti.length; n -= ti.length; - if (n < 8) + if (n <= 8) n = 0; if (n && parse_tag (&p, &n, &ti)) goto bailout; From sk at intertivity.com Wed Apr 20 17:27:34 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Wed Apr 20 17:23:40 2005 Subject: GNUPG library for C#? In-Reply-To: <000f01c545b1$95afedf0$6719a8c0@headquarters.infinitesoft.com> References: <000f01c545b1$95afedf0$6719a8c0@headquarters.infinitesoft.com> Message-ID: <426674E6.2080406@intertivity.com> http://www.codeproject.com/csharp/gnupgdotnet.asp might help! HTH esskar Alan Zak schrieb: >Hello, I am new to C# coding. I have managed to create a console >application which opens a process (ProcessStartInfo, etc) to run the gpg.exe >with a given set of arguments. > >I would love to be able to eliminate the usage of the EXE, and instead >integrate GPG's functionality in the form of a DLL or COM object. > >I've scoured the web via Teoma and Google, and have found a few references >to people who have written their own "wrappers" to incorporate GPG >functionality without reliance on the EXE. Unfortunately these led to dead >or stale links, and further I have never created my own wrapper in the way >these folks describe. > >If I might find this info by searching the archives please let me know, >otherwise if someone could please direct me to some helpful info I would be >most appreciative. > >Thank you! > >-- Alan > > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > From jharris at widomaker.com Wed Apr 20 17:51:43 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Apr 20 17:47:46 2005 Subject: importing large keyring In-Reply-To: <20050420121731.GA6386@cube.sascha.silbe.org> References: <20050420121731.GA6386@cube.sascha.silbe.org> Message-ID: <20050420155143.GS356@wilma.widomaker.com> On Wed, Apr 20, 2005 at 02:17:31PM +0200, Sascha Silbe wrote: > Recently (somewhere around the update from gnupg 1.2.x to 1.4.x) my > keyring got corrupted: > > sascha@cube:~$ gpg --export > /dev/null > gpg: buffer shorter than subpacket > gpg: signature packet without timestamp > gpg: buffer shorter than subpacket > gpg: signature packet without keyid > gpg: buffer shorter than subpacket > [...] I've also seen similar "corruption" recently (with GPG 1.4.1): %gpg --keyserver hkp://keyserver.sascha.silbe.org --recv CA57AD7C Host: keyserver.sascha.silbe.org Command: GET gpgkeys: HTTP URL is `hkp://keyserver.sascha.silbe.org/pks/lookup?op=get&options=mr&search=0xCA57AD7C' gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket gpg: signature packet without timestamp gpg: key CA57AD7C: accepted non self-signed user ID "[jpeg image of size 3400]" gpg: key CA57AD7C: accepted non self-signed user ID "[jpeg image of size 3400]" gpg: key CA57AD7C: accepted non self-signed user ID "[jpeg image of size 3400]" gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket [snip] $gpg -k CA57AD7C gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket pub 2048R/CA57AD7C 2004-12-06 uid PGP Global Directory Verification Key uid [jpeg image of size 3400] uid [jpeg image of size 3400] uid [jpeg image of size 3400] uid [jpeg image of size 3400] %gpg --export CA57AD7C > /dev/null gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket NB: I set "allow-non-selfsigned-uid" in ~/.gnupg/options, but you probably don't, and we're seeing most of the same errors. > However, most of the keys are still OK, so I'd like to use the output of > "gpg --export" to re-create the keyring. > The keyring is rather large (70MB) and after importing several thousand > keys gpg uses more memory than is available as physical RAM, so it's > continously swapping. After 2 days without significant progress I've > aborted the import. (Out of curiosity, what do you plan to have GPG do with the keys once they're imported?) I often work with keys dumped straight from pks without doing a "gpg --import" on them. You should be able to do the same with SKS. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050420/bfea69c1/attachment.pgp From carlosandres01 at gmail.com Wed Apr 20 19:26:08 2005 From: carlosandres01 at gmail.com (Carlos M) Date: Wed Apr 20 20:22:30 2005 Subject: Cant create directory error Message-ID: Hi there im having problems trying to decrypt a message using PHP or Perl. When i run the perl script directly from the linux bash it works just fine, but when i run the script from the browser it doesnt work. Checkin the apache logs it says: Name "main::passphrase" used only once: possible typo at /usr/local/apache/cgi-bin/decrypt.pl line 10. gpg: fatal: ~/.gnupg: can't create directory: No such file or directory I create the keys using root as user. I got the .gnupg directory on /root with the correct keys in there. I have the correct keys in my local repository. I dont know what im doing wrong. My gpg version is 1.4.1 Any help would be useful. Thanks a lot. Carlos Andres Medina From gpg at jason.markley.name Wed Apr 20 21:13:38 2005 From: gpg at jason.markley.name (Jason Markley) Date: Wed Apr 20 21:10:09 2005 Subject: 1.4.1 won't retrieve key from keyserver? In-Reply-To: <42408C7B.5060806@jason.markley.name> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <423851A3.5030604@jason.markley.name> <20050321195149.GB22697@jabberwocky.com> <42401B85.5040903@jason.markley.name> <20050322140857.GA26177@jabberwocky.com> <42403243.6060105@jason.markley.name> <20050322211200.GD26177@jabberwocky.com> <42408C7B.5060806@jason.markley.name> Message-ID: <4266A9E2.5040606@jason.markley.name> David, Has this issue been fixed? Here's a recap of what I've observed. I'm using TB 1.0.2 and gpg 1.4.1 (for windows, obviously) :) ----------------------------------------------------------------------- behavior when searching for keys using GPG 1.4.1 from the command line: hkp: searches and finds it, but doesn't import the key. can't find a valid key block. taking the 'openpgp' option out of the gpg.conf file fixes this. ldap: searches and finds the key, and is able to import the key. it works both with and without the 'openpgp' option. http: gpgkeys says that this type of server only supports importing keys. I can't get importing to work, with or without the 'openpgp' option. -Jason Jason Markley wrote: > David Shaw wrote: > >> That said, keyserver imports on W32 should work with --openpgp set as >> well. I will fix that. >> >> > Thanks! > > -Jason > >> David >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From erpo41 at hotpop.com Wed Apr 20 21:51:30 2005 From: erpo41 at hotpop.com (Erpo) Date: Wed Apr 20 21:47:00 2005 Subject: Rescue secring In-Reply-To: <4265834A.8090000@imfl.de> References: <4265834A.8090000@imfl.de> Message-ID: <1114026690.6140.24.camel@localhost.localdomain> On Wed, 2005-04-20 at 00:16 +0200, Philipp Neuhaus wrote: > Does gpg have a fault-tolerant mode or do you know about any keyringtool > that may repair my dumps? My sympathy goes out to you. Most people don't back up, probably because of the disparity between hard drive sizes and backup media; I know I don't want to make a stack of 40 DVD-Rs every week. Once in a while we all get bitten. As for your GPG problem, I can't offer you much help. I remember hearing about a feature that would help you regenerate your public key from your private key, but you're going to need your private key in order to do that. You're probably not going to get your keys back. As far as generating and passing out a revocation, it's probably not necessary. All a revocation does is tell poeple who have your key not to trust any further messages signed by that key, and you're already going to be able to do that when you start distributing your new public key to your friends. Eric From jerri at jerri.de Wed Apr 20 23:28:39 2005 From: jerri at jerri.de (Gerhard Siegesmund) Date: Wed Apr 20 23:25:09 2005 Subject: importing large keyring In-Reply-To: <20050420155143.GS356@wilma.widomaker.com> References: <20050420121731.GA6386@cube.sascha.silbe.org> <20050420155143.GS356@wilma.widomaker.com> Message-ID: <20050420212839.GA16994@base.jerri.home> Hello all > > Recently (somewhere around the update from gnupg 1.2.x to 1.4.x) my > > keyring got corrupted: > > sascha@cube:~$ gpg --export > /dev/null > > gpg: buffer shorter than subpacket > > [...] > I've also seen similar "corruption" recently (with GPG 1.4.1): > %gpg --keyserver hkp://keyserver.sascha.silbe.org --recv CA57AD7C > Host: keyserver.sascha.silbe.org > Command: GET > gpgkeys: HTTP URL is `hkp://keyserver.sascha.silbe.org/pks/lookup?op=get&options=mr&search=0xCA57AD7C' > gpg: buffer shorter than subpacket [...] This seems to be a common problem? I recently found the same errors, but didn't care about them. Is is something I should be concerned about? -- cu --== Jerri ==-- Homepage: http://www.jerri.de/ ICQ: 54160208 Public PGP Key: http://www.jerri.de/jerris_public_key.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050420/decfe5ab/attachment.pgp From gregbell at znet.com Thu Apr 21 01:37:35 2005 From: gregbell at znet.com (Greg Bell) Date: Thu Apr 21 02:10:52 2005 Subject: Gvim and gpg Message-ID: Hi GPG users, I've successfully used gpg from vim for years, using the autocmds easily found with google. However, when using gpg from gvim, I get this: :!gpg --symmetric gpg: cannot open `/dev/tty': No such device or address shell returned 2 If I try the --no-tty option: :!gpg --symmetric --no-tty gpg: Sorry, no terminal at all requested - can't get input shell returned 2 Root privs, setuid, etc. don't work. And my /dev/tty device is there and working: $ ls -l /dev/tty crwxrwxrwx 1 root root 5, 0 Apr 20 19:48 /dev/tty Anybody have any idea why it doesn't work? Again, it works with the normal vim client. Thanks much, -- Greg Bell From SeidlS at schneider.com Thu Apr 21 08:14:54 2005 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Thu Apr 21 08:45:52 2005 Subject: Scott Seidl/Schneider is out of the office. Message-ID: I will be out of the office starting 04/20/2005 and will not return until 04/22/2005. I will return your message when I get back. Thanks From bluthgeld44 at yahoo.com Wed Apr 20 23:40:34 2005 From: bluthgeld44 at yahoo.com (Dr Bluthgeld) Date: Thu Apr 21 09:58:22 2005 Subject: Clearing passwords in agent Message-ID: <20050420214034.82302.qmail@web41407.mail.yahoo.com> Hi, 1. Is it possible to clear all passwords in agent regardless its ttl, without killing it? I mean something like "ssh-add -D"? 2. Is it possible to force agent to reload its configuration from file given primarily with --options? I'am not this list subscriber, so please CC me. Thanks. -- Marian Kowalski __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From wk at gnupg.org Thu Apr 21 11:27:42 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 21 11:26:59 2005 Subject: Clearing passwords in agent In-Reply-To: <20050420214034.82302.qmail@web41407.mail.yahoo.com> (bluthgeld44@yahoo.com's message of "Wed, 20 Apr 2005 14:40:34 -0700 (PDT)") References: <20050420214034.82302.qmail@web41407.mail.yahoo.com> Message-ID: <87ll7cfpip.fsf@wheatstone.g10code.de> On Wed, 20 Apr 2005 14:40:34 -0700 (PDT), Bluthgeld said: > 1. Is it possible to clear all passwords in agent > regardless its ttl, without killing it? I mean > something like "ssh-add -D"? pkill -HUP gpg-agent > 2. Is it possible to force agent to reload its > configuration from file given primarily with > --options? Same as above. However, not all options are reloaded. opt.quiet = 0; opt.verbose = 0; opt.debug = 0; opt.no_grab = 0; opt.pinentry_program = NULL; opt.scdaemon_program = NULL; opt.def_cache_ttl = DEFAULT_CACHE_TTL; opt.max_cache_ttl = MAX_CACHE_TTL; opt.ignore_cache_for_signing = 0; opt.allow_mark_trusted = 0; opt.disable_scdaemon = 0; The above list shows the options which are changeable at runtime, others are ignored. The actual option names are similar to the above variable names. I'll add notes to the manual. Salam-Shalom, Werner From johanw at vulcan.xs4all.nl Thu Apr 21 11:46:31 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Apr 21 11:44:11 2005 Subject: Rescue secring In-Reply-To: <1114026690.6140.24.camel@localhost.localdomain> from Erpo at "Apr 20, 2005 12:51:30 pm" Message-ID: <200504210946.LAA00972@vulcan.xs4all.nl> Erpo wrote: >My sympathy goes out to you. Most people don't back up, probably because >of the disparity between hard drive sizes and backup media; I know I >don't want to make a stack of 40 DVD-Rs every week. Then you're backing up in a stupid way. I devide my system into system data (OS, programs) that infrequently changes, and user data, that frequently changes, and that I backup when something important is changed (I know for myself when that is the case, don't need "every week" standards for that). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Thu Apr 21 14:57:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Apr 21 14:54:34 2005 Subject: 1.4.1 won't retrieve key from keyserver? In-Reply-To: <4266A9E2.5040606@jason.markley.name> References: <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <423851A3.5030604@jason.markley.name> <20050321195149.GB22697@jabberwocky.com> <42401B85.5040903@jason.markley.name> <20050322140857.GA26177@jabberwocky.com> <42403243.6060105@jason.markley.name> <20050322211200.GD26177@jabberwocky.com> <42408C7B.5060806@jason.markley.name> <4266A9E2.5040606@jason.markley.name> Message-ID: <20050421125756.GA22419@jabberwocky.com> On Wed, Apr 20, 2005 at 03:13:38PM -0400, Jason Markley wrote: > David, > > Has this issue been fixed? Here's a recap of what I've observed. > I'm using TB 1.0.2 and gpg 1.4.1 (for windows, obviously) :) > > ----------------------------------------------------------------------- > behavior when searching for keys using GPG 1.4.1 from the command line: > > hkp: searches and finds it, but doesn't import the key. can't find a > valid key block. taking the 'openpgp' option out of the gpg.conf file > fixes this. Yes, this was fixed the day I responded to your original mail. However, I don't currently have a good way to test on windows, so if you could test when the 1.4.2 release candidate comes out, that would be great. David From list at omicron-persei-8.net Thu Apr 21 14:24:14 2005 From: list at omicron-persei-8.net (Tyler Retzlaff) Date: Thu Apr 21 15:03:03 2005 Subject: generating keys & entropy Message-ID: <42679B6E.3080900@omicron-persei-8.net> I'm having difficulty with keys not wanting to generate or taking a very long time to generate. I suspect this is due to the source of entropy used to generate the key not being very active. I notice I can "force" the process along by causing some extra network/cpu activity on the host I'm generating the key. Is there a way to avoid having to do this? I find it to be quite inconvenient since I am often generating keys for testing purposes. Any suggestions welcome, thanks. From wk at gnupg.org Thu Apr 21 15:12:44 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 21 15:11:50 2005 Subject: fixing a corrup keyring In-Reply-To: <20050419085505.GB30729@vanheusden.com> (folkert@vanheusden.com's message of "Tue, 19 Apr 2005 10:55:07 +0200") References: <20050419085505.GB30729@vanheusden.com> Message-ID: <87d5soe0j7.fsf@wheatstone.g10code.de> On Tue, 19 Apr 2005 10:55:07 +0200, folkert said: > Hi, > I have a keyring with quiet a few keys (thousands) and now something > is wrong with it: > gpg --list-keys gives > gpg: Ohhhh jeeee: mpi crosses packet border It is unfurtune that gpg bails out immediately in this caase. In fact it is not a bug (this is what the "Ohhh jeeee" shall indicate) but currupt input data. I have not created a test case yet but changed the code to fail mopre gracefully. This won't help too much I fear but it is a first step to a recovery mode. Please apply the attached patch against 1.4.1 or CVS. Salam-Shalom, Werner -------------- next part -------------- 2005-04-21 Werner Koch * mpicoder.c (mpi_read): Changed error detection to always return an error while maintaining the actual number of bytes read. --- mpi/mpicoder.c 20 Dec 2004 10:05:20 -0000 1.33 +++ mpi/mpicoder.c 21 Apr 2005 13:21:15 -0000 @@ -1,5 +1,5 @@ /* mpicoder.c - Coder for the external representation of MPIs - * Copyright (C) 1998, 1999 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -74,20 +74,23 @@ mpi_read(IOBUF inp, unsigned *ret_nread, #endif { int c, i, j; + unsigned int nmax = *ret_nread; unsigned nbits, nbytes, nlimbs, nread=0; mpi_limb_t a; MPI val = MPI_NULL; if( (c = iobuf_get(inp)) == -1 ) goto leave; - nread++; + if (++nread >= nmax) + goto overflow; nbits = c << 8; if( (c = iobuf_get(inp)) == -1 ) goto leave; - nread++; + if (++nread >= nmax) + goto overflow; nbits |= c; if( nbits > MAX_EXTERN_MPI_BITS ) { - log_error("mpi too large (%u bits)\n", nbits); + log_error("mpi too large for this implementation (%u bits)\n", nbits); goto leave; } @@ -108,6 +111,15 @@ mpi_read(IOBUF inp, unsigned *ret_nread, for( ; j > 0; j-- ) { a = 0; for(; i < BYTES_PER_MPI_LIMB; i++ ) { + if (nread >= nmax) { +#ifdef M_DEBUG + mpi_debug_free (val); +#else + mpi_free (val); +#endif + val = NULL; + goto overflow; + } a <<= 8; a |= iobuf_get(inp) & 0xff; nread++; } @@ -116,10 +128,11 @@ mpi_read(IOBUF inp, unsigned *ret_nread, } leave: - if( nread > *ret_nread ) - log_bug("mpi crosses packet border\n"); - else - *ret_nread = nread; + *ret_nread = nread; + return val; + overflow: + log_error ("mpi larger than indicated length (%u bytes)\n", nmax); + *ret_nread = nread; return val; } From gpg at jason.markley.name Thu Apr 21 16:37:17 2005 From: gpg at jason.markley.name (Jason Markley) Date: Thu Apr 21 16:34:05 2005 Subject: 1.4.1 won't retrieve key from keyserver? In-Reply-To: <20050421125756.GA22419@jabberwocky.com> References: <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <423851A3.5030604@jason.markley.name> <20050321195149.GB22697@jabberwocky.com> <42401B85.5040903@jason.markley.name> <20050322140857.GA26177@jabberwocky.com> <42403243.6060105@jason.markley.name> <20050322211200.GD26177@jabberwocky.com> <42408C7B.5060806@jason.markley.name> <4266A9E2.5040606@jason.markley.name> <20050421125756.GA22419@jabberwocky.com> Message-ID: <4267BA9D.4010005@jason.markley.name> David, I'd be glad to test it when the 1.4.2RC comes out. Thanks for fixing it so quickly! -Jason David Shaw wrote: >On Wed, Apr 20, 2005 at 03:13:38PM -0400, Jason Markley wrote: > > >>David, >> >> Has this issue been fixed? Here's a recap of what I've observed. >>I'm using TB 1.0.2 and gpg 1.4.1 (for windows, obviously) :) >> >>----------------------------------------------------------------------- >>behavior when searching for keys using GPG 1.4.1 from the command line: >> >>hkp: searches and finds it, but doesn't import the key. can't find a >>valid key block. taking the 'openpgp' option out of the gpg.conf file >>fixes this. >> >> > >Yes, this was fixed the day I responded to your original mail. >However, I don't currently have a good way to test on windows, so if >you could test when the 1.4.2 release candidate comes out, that would >be great. > >David > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From folkert at vanheusden.com Thu Apr 21 20:40:20 2005 From: folkert at vanheusden.com (folkert@vanheusden.com) Date: Thu Apr 21 20:36:11 2005 Subject: corrupted keyring; now what is corrupted? Message-ID: <20050421184018.GD30952@vanheusden.com> Hi, I'm trying to write a program that fixes the keyring. I can read the chain and do some sanity checks but I find nothing wrong. So I ran gpg with some debugging switched on and then I get this: ... gpg: DBG: parse_packet(iob=1): type=14 length=525 (search.../../g10/keyring.c.974) gpg: DBG: parse_packet(iob=1): type=6 length=418 (search.../../g10/keyring.c.974) gpg: DBG: parse_packet(iob=2005): type=6 length=418 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=13 length=39 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=98 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=106 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=13 length=43 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=103 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=13 length=44 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) gpg: Ohhhh jeeee: mpi crosses packet border secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 Aborted My question now is: what is this mpi crossing that packet border? Is this mpi- data longer then what is in the packat? So a packet type ct == 6 || ct == 14 || ct == 5 || ct == 7 follows after the last one listed (right?) and the mpi-data is bigger then that length-field? How can I see if an mpi is the correct length? Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. -------------------------------------------------------------------- UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) a try, it brings monitoring logfiles to a different level! See http://vanheusden.com/multitail/features.html for a feature-list. -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com! From folkert at vanheusden.com Thu Apr 21 21:30:45 2005 From: folkert at vanheusden.com (folkert@vanheusden.com) Date: Thu Apr 21 21:26:38 2005 Subject: corrupted keyring; now what is corrupted? In-Reply-To: <20050421184018.GD30952@vanheusden.com> References: <20050421184018.GD30952@vanheusden.com> Message-ID: <20050421193043.GE30952@vanheusden.com> Ok, I figured out how to check the mpi. Now, what I don't understand is why gpg bails out: when my program runs, it doesn't find any problems with mpi's in the whole keyring. The program (not yet finished altough it might be able to fix some problems with certain damages) is available from: http://www.vanheusden.com/Linux/fix_ring-0.1.tgz Folkert On Thu, Apr 21, 2005 at 08:40:20PM +0200, wrote: > Hi, > > I'm trying to write a program that fixes the keyring. I can read the > chain and do some sanity checks but I find nothing wrong. > So I ran gpg with some debugging switched on and then I get this: > > ... > gpg: DBG: parse_packet(iob=1): type=14 length=525 (search.../../g10/keyring.c.974) > gpg: DBG: parse_packet(iob=1): type=6 length=418 (search.../../g10/keyring.c.974) > gpg: DBG: parse_packet(iob=2005): type=6 length=418 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=13 length=39 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=98 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=106 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=13 length=43 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=103 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=13 length=44 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=70 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > gpg: DBG: parse_packet(iob=2005): type=2 length=76 (parse.../../g10/keyring.c.391) > > gpg: Ohhhh jeeee: mpi crosses packet border > secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 > Aborted > > My question now is: what is this mpi crossing that packet border? Is this mpi- > data longer then what is in the packat? So a packet type ct == 6 || ct == 14 || > ct == 5 || ct == 7 follows after the last one listed (right?) and the mpi-data > is bigger then that length-field? How can I see if an mpi is the correct length? > > > Folkert van Heusden > > -- > Auto te koop, zie: http://www.vanheusden.com/daihatsu.php > Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. > -------------------------------------------------------------------- > UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) > a try, it brings monitoring logfiles to a different level! See > http://vanheusden.com/multitail/features.html for a feature-list. > -------------------------------------------------------------------- > Phone: +31-6-41278122, PGP-key: 1F28D8AE > Get your PGP/GPG key signed at www.biglumber.com! Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. -------------------------------------------------------------------- UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) a try, it brings monitoring logfiles to a different level! See http://vanheusden.com/multitail/features.html for a feature-list. -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20050421/fea1b980/attachment.pgp From wk at gnupg.org Thu Apr 21 22:48:34 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Apr 21 22:47:00 2005 Subject: corrupted keyring; now what is corrupted? In-Reply-To: <20050421184018.GD30952@vanheusden.com> (folkert@vanheusden.com's message of "Thu, 21 Apr 2005 20:40:20 +0200") References: <20050421184018.GD30952@vanheusden.com> Message-ID: <87k6mvc0v1.fsf@wheatstone.g10code.de> On Thu, 21 Apr 2005 20:40:20 +0200, folkert said: > My question now is: what is this mpi crossing that packet border? Is this mpi- The length header of the MPI claims a value longer that the entire packet. I posted a part solution this afternoon. Salam-Shalom, Werner From rsadasivan at ebay.com Thu Apr 21 22:02:50 2005 From: rsadasivan at ebay.com (Sadasivan, Rajan) Date: Thu Apr 21 22:58:40 2005 Subject: gpg: Sorry, no terminal at all requested - can't get input Message-ID: <64B7889E4DCBF940B44F8FE1A46D348D02281514@DEN-EXM-01.corp.ebay.com> Hi: I get following error from GnuPg for -> gpg --always-trust --passphrase-fd 0 --output outfile.1 -u "Test user" --no-tty --decrypt inputfile.pgp < /opt/passwdfile gpg: Sorry, no terminal at all requested - can't get input what is the problem? version-> gpg (GnuPG) 1.2.1 Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. rajans From rsadasivan at ebay.com Thu Apr 21 22:08:22 2005 From: rsadasivan at ebay.com (Sadasivan, Rajan) Date: Thu Apr 21 23:04:13 2005 Subject: gpg: Sorry, no terminal at all requested - can't get input Message-ID: <64B7889E4DCBF940B44F8FE1A46D348D02281515@DEN-EXM-01.corp.ebay.com> > Hi: > > I get following error from GnuPg for -> > gpg --always-trust --passphrase-fd 0 --output outfile.1 -u "Test user" --no-tty --decrypt inputfile.pgp < /opt/passwdfile > > gpg: Sorry, no terminal at all requested - can't get input > > what is the problem? > > version-> > gpg (GnuPG) 1.2.1 > Copyright (C) 2002 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it > under certain conditions. See the file COPYING for details. > > rajans From dshaw at jabberwocky.com Fri Apr 22 00:16:00 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Apr 22 00:12:50 2005 Subject: importing large keyring In-Reply-To: <20050420212839.GA16994@base.jerri.home> References: <20050420121731.GA6386@cube.sascha.silbe.org> <20050420155143.GS356@wilma.widomaker.com> <20050420212839.GA16994@base.jerri.home> Message-ID: <20050421221600.GB23212@jabberwocky.com> On Wed, Apr 20, 2005 at 11:28:39PM +0200, Gerhard Siegesmund wrote: > > I've also seen similar "corruption" recently (with GPG 1.4.1): > > %gpg --keyserver hkp://keyserver.sascha.silbe.org --recv CA57AD7C > > Host: keyserver.sascha.silbe.org > > Command: GET > > gpgkeys: HTTP URL is `hkp://keyserver.sascha.silbe.org/pks/lookup?op=get&options=mr&search=0xCA57AD7C' > > gpg: buffer shorter than subpacket > [...] > > This seems to be a common problem? I recently found the same errors, but > didn't care about them. Is is something I should be concerned about? No, not really (at least if you see them on a keyserver like in the example). The copy of the key on the keyserver is corrupt. GnuPG will do a reasonable amount of repair as it imports, and generally ends up with a usable key. David From folkert at vanheusden.com Fri Apr 22 07:17:01 2005 From: folkert at vanheusden.com (folkert@vanheusden.com) Date: Fri Apr 22 07:12:56 2005 Subject: corrupted keyring; now what is corrupted? In-Reply-To: <87k6mvc0v1.fsf@wheatstone.g10code.de> References: <20050421184018.GD30952@vanheusden.com> <87k6mvc0v1.fsf@wheatstone.g10code.de> Message-ID: <20050422051646.GF30952@vanheusden.com> > > My question now is: what is this mpi crossing that packet border? Is this mpi- > The length header of the MPI claims a value longer that the entire > packet. I posted a part solution this afternoon. Will that also fix gpgme? It seems it has the same troubles. Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. -------------------------------------------------------------------- UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) a try, it brings monitoring logfiles to a different level! See http://vanheusden.com/multitail/features.html for a feature-list. -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com! From wk at gnupg.org Fri Apr 22 20:13:13 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Apr 23 00:33:43 2005 Subject: corrupted keyring; now what is corrupted? In-Reply-To: <20050422051646.GF30952@vanheusden.com> (folkert@vanheusden.com's message of "Fri, 22 Apr 2005 07:17:01 +0200") References: <20050421184018.GD30952@vanheusden.com> <87k6mvc0v1.fsf@wheatstone.g10code.de> <20050422051646.GF30952@vanheusden.com> Message-ID: <874qdyfznq.fsf@wheatstone.g10code.de> On Fri, 22 Apr 2005 07:17:01 +0200, folkert said: > Will that also fix gpgme? It seems it has the same troubles. gpgme uses gpg, so if it is solved the problem for gpg, it also does for gpgme. Shalom-Salam, Werner From dshaw at jabberwocky.com Sat Apr 23 15:04:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Apr 23 15:00:47 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050217034410.GG24504@jabberwocky.com> References: <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> <20050211202000.GD7710@anl.gov> <20050212050506.GE22456@jabberwocky.com> <20050214210800.GR4175@psilocybe.teonanacatl.org> <20050217034410.GG24504@jabberwocky.com> Message-ID: <20050423130416.GL19713@jabberwocky.com> On Wed, Feb 16, 2005 at 10:44:10PM -0500, David Shaw wrote: > On Mon, Feb 14, 2005 at 04:08:00PM -0500, Todd wrote: > > > In doing so, it seems like a nicer way to solve this would be to > > simply modify two automake files in gnupg to use pkglibexecdir instead > > of libexecdir. The attached patch against CVS does this and worked > > for me in my simple testing. It allows libexecdir to be set as one > > would normally set it and not have to worry about the gnupg subdr > > portion. Of course, if one wants to change that seperately from > > libexecdir, it can be done by passing pkglibexecdir to make: > > > > make pkglibexecdir=/usr/anydir/gpg > > I think this is a good idea. I don't want to mess about with the > build this close to the 1.4.1 release, but I will revisit this for > 1.4.2. Okay, this is done and will be in 1.4.2. If anyone tracking CVS wants to give this a whirl before then, do let me know how it works out. David From pete at petesplace.id.au Sun Apr 24 08:37:14 2005 From: pete at petesplace.id.au (Peter Jones) Date: Sun Apr 24 09:13:12 2005 Subject: Cant create directory error In-Reply-To: References: Message-ID: <200504241637.14279.pete@petesplace.id.au> On Thu, 21 Apr 2005 03:26 am, Carlos M wrote: > Hi there im having problems trying to decrypt a message using PHP or > Perl. When i run the perl script directly from the linux bash it works > just fine, but when i run the script from the browser it doesnt work. > Checkin the apache logs it says: > > Name "main::passphrase" used only once: possible typo at > /usr/local/apache/cgi-bin/decrypt.pl line 10. > gpg: fatal: ~/.gnupg: can't create directory: No such file or directory > > I create the keys using root as user. I got the .gnupg directory on > /root with the correct keys in there. I have the correct keys in my > local repository. I dont know what im doing wrong. I cannot see any other responses [possibly because the Reply-to on your message doesn't seem to be configured correctly??] to this so I'll give it a shot. It is almost certain that apache is not running as root (and if it *is*, it is a very bad security risk!) Chances are it will be running as either user "apache", or as "nobody"; you will need to check your httpd.conf file to be sure. Apache, therefore, calls your cgi script as this user, and your script calls gpg as this user. gpg then tries to create ~/.gnupg -- and either the user home directory doesn't exist, or (for various security reasons) apache does not have wtrite access to it. Best bet is to create a .gnupg file somewhere apache can find it, then in your script use "gpg --options /path/to/.gnupg" to specify the correct options file for it to use... (Additionally I'd investigate that main::passphrase warning if I were you! ;-)) HTH, Pete. From list at omicron-persei-8.net Sun Apr 24 17:36:01 2005 From: list at omicron-persei-8.net (Tyler Retzlaff) Date: Sun Apr 24 17:33:43 2005 Subject: gpgme & gpgme_data_write problem Message-ID: <426BBCE1.1020504@omicron-persei-8.net> I'm using the following piece of code which is heavily derived from that found in the gpgme/test directory. (With error checking removed for clarity, though in the real code all error checking is being done) The problem is when I use gpgme_data_write() to enter the text into the plain text data buffer before encryption it doesn't end up being encrypted as a part of cipher text. The resulting encrypted message is empty. This doesn't happen if I initialize the plain data buffer with gpg_data_new_from_mem(). Am I using gpgme_data_new() and gpgme_data_write() incorrectly? Or is libgpgme at fault? btw. using gpgme 1.0.1/gnupg 1.2.6 being used. Advice is appreciated, thanks! int main(int argc, char **argv) size_t wbytes; gpgme_error_t e; gpgme_ctx_t ctx; gpgme_data_t plain; gpgme_data_t cipher; gpgme_key_t key[2] = { NULL, NULL }; gpgme_encrypt_result_t r; gpgme_data_encoding_t enc; setlocale (LC_ALL, ""); gpgme_check_version (NULL); gpgme_set_locale(NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL)); gpgme_set_locale(NULL, LC_MESSAGES, setlocale (LC_MESSAGES, NULL)); gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP); gpgme_new(&ctx); gpgme_set_armor(ctx, 1); gpgme_data_new(&plain); gpgme_data_new(&cipher); gpgme_get_key(ctx, "93EE05A3D02C75B7B451AF1E6449D89A2D2C2204", &key[0], 0); wbytes = sizeof("This is the first line.\n"); gpgme_data_write(plain, "This is the first line.\n", wbytes); fprintf(stderr, "wrote %d bytes\n", wbytes); gpgme_op_encrypt(ctx, key, 0, plain, cipher); r = gpgme_op_encrypt_result(ctx); print_data(cipher); gpgme_key_unref(key[0]); gpgme_data_release(plain); gpgme_data_release(cipher); gpgme_release(ctx); return EXIT_SUCCESS; From wk at gnupg.org Sun Apr 24 17:39:29 2005 From: wk at gnupg.org (Werner Koch) Date: Sun Apr 24 17:35:52 2005 Subject: [Announce] German speaking mailing list Message-ID: <87acno89qm.fsf@wheatstone.g10code.de> Hi! I have created a new ML similar in intended audience to gnupg-users@gnupg.org but German speaking. Those of you who are speaking German, please feel free to subscribe or to direct people preferring German to this new list: http://lists.gnupg.org/mailman/listinfo/gnupg-de Note that we already host a Russian speaking list at gnupg.org: http://lists.gnupg.org/mailman/listinfo/gnupg-ru and that there are is a Japanese list at: http://www.egroups.co.jp/group/gnupgnewsjapan/ as well as an Italian speaking list at: http://itlists.org/mailman/listinfo/gnupg-it/ Salam-Shalom, Werner From list at omicron-persei-8.net Mon Apr 25 06:53:31 2005 From: list at omicron-persei-8.net (Tyler Retzlaff) Date: Mon Apr 25 06:51:19 2005 Subject: gpgme & gpgme_data_write problem In-Reply-To: <426BBCE1.1020504@omicron-persei-8.net> References: <426BBCE1.1020504@omicron-persei-8.net> Message-ID: <426C77CB.7040508@omicron-persei-8.net> bah, have to gpgme_data_seek(plain, 0, SEEK_SET); before encrypting. Seems kind of obvious now, but maybe should have been documented. Tyler Retzlaff wrote: > I'm using the following piece of code which is heavily derived from that > found in the gpgme/test directory. (With error checking removed for > clarity, though in the real code all error checking is being done) > > The problem is when I use gpgme_data_write() to enter the text into the > plain text data buffer before encryption it doesn't end up being > encrypted as a part of cipher text. The resulting encrypted message is > empty. > > This doesn't happen if I initialize the plain data buffer with > gpg_data_new_from_mem(). Am I using gpgme_data_new() and > gpgme_data_write() incorrectly? Or is libgpgme at fault? btw. using > gpgme 1.0.1/gnupg 1.2.6 being used. > > Advice is appreciated, thanks! > > int > main(int argc, char **argv) > size_t wbytes; > gpgme_error_t e; > gpgme_ctx_t ctx; > gpgme_data_t plain; > gpgme_data_t cipher; > gpgme_key_t key[2] = { NULL, NULL }; > gpgme_encrypt_result_t r; > gpgme_data_encoding_t enc; > > setlocale (LC_ALL, ""); > gpgme_check_version (NULL); > gpgme_set_locale(NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL)); > gpgme_set_locale(NULL, LC_MESSAGES, setlocale (LC_MESSAGES, > NULL)); > > gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP); > gpgme_new(&ctx); > gpgme_set_armor(ctx, 1); > > gpgme_data_new(&plain); > gpgme_data_new(&cipher); > gpgme_get_key(ctx, "93EE05A3D02C75B7B451AF1E6449D89A2D2C2204", > &key[0], 0); > > wbytes = sizeof("This is the first line.\n"); > gpgme_data_write(plain, "This is the first line.\n", wbytes); > fprintf(stderr, "wrote %d bytes\n", wbytes); > gpgme_op_encrypt(ctx, key, 0, plain, cipher); > r = gpgme_op_encrypt_result(ctx); > > print_data(cipher); > gpgme_key_unref(key[0]); > gpgme_data_release(plain); > gpgme_data_release(cipher); > gpgme_release(ctx); > > return EXIT_SUCCESS; > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From eocsor at gmail.com Mon Apr 25 09:33:07 2005 From: eocsor at gmail.com (Roscoe) Date: Mon Apr 25 09:29:31 2005 Subject: Modifying the number of iterations in S2K generation Message-ID: loop-aes comes with the following patch for gnupg: " --- gnupg-1.4.1/g10/passphrase.c.old Tue Feb 15 13:02:31 2005 +++ gnupg-1.4.1/g10/passphrase.c Wed Mar 16 17:35:20 2005 @@ -1331,7 +1331,7 @@ if( create && !pass ) { randomize_buffer(s2k->salt, 8, 1); if( s2k->mode == 3 ) - s2k->count = 96; /* 65536 iterations */ + s2k->count = 208; /* 8388608 byte count */ } if( s2k->mode == 3 ) { " Any comments on modifying the number of iterations like was done here to something higher? Looking at the rfc it would seem that the number of iterations is some arbitary value set by the client and taking a guess here one would expect gpg's value to be on the low end of the scale to accommodate 486 users and the like. (I know that iteration count will linearly effect the time the S2K function will take to run, and also the time it takes to bruteforce the password.) I take it this will effect all password to key generation and hence the private key's encryption as well as gpg -c? Trivial matter I know, I was just curious to see that the loop-aes folk felt the need to bother patching gpg. From wk at gnupg.org Mon Apr 25 09:58:10 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Apr 25 09:56:24 2005 Subject: Modifying the number of iterations in S2K generation In-Reply-To: (eocsor@gmail.com's message of "Mon, 25 Apr 2005 17:03:07 +0930") References: Message-ID: <87vf6b5lv1.fsf@wheatstone.g10code.de> On Mon, 25 Apr 2005 17:03:07 +0930, Roscoe said: > Trivial matter I know, I was just curious to see that the loop-aes > folk felt the need to bother patching gpg. You only need to enter the passphrase once when mounting the filesystem. In contrast, with gpg you need to enter the passphrase for every message and thus it should not take too long. Except for the -c case, the security of OpenPGP comes from keeping the keys secret, whereas crypto filesystems most often rely only on a passphrase. It would be better to use public key crypto with crypto file systems too. Its as easy as to use a random passphrase and encrypt this using a regular gpg key. Salam-Shalom, Werner From harry_b at mm.st Mon Apr 25 10:00:18 2005 From: harry_b at mm.st (harry_b@mm.st) Date: Mon Apr 25 09:56:36 2005 Subject: [Announce] German speaking mailing list In-Reply-To: <87acno89qm.fsf@wheatstone.g10code.de> References: <87acno89qm.fsf@wheatstone.g10code.de> Message-ID: <93F62CB3796987812ED6E5AD@toughbook> Hi everybody, I am trying to get around the lacking feature of gpgme to tell me for which keys a message has been encrypted for. I am running gpg 1.4.0 on Debian unstable. I thought, that 'gpg --list-only filename' should give me all keys, a message was encrypted for. Unfortunately, this seems not to include my own keys. If a message is encrypted for several recipients, it lists all except my own keys. If its encrypted for myself only, it doesn't list anything at all. Do I miss something here? Can I somehow get ALL keys? TIA, Harry -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050425/1aa9e4a3/attachment.pgp From harry_b at mm.st Mon Apr 25 10:27:49 2005 From: harry_b at mm.st (harry_b@mm.st) Date: Mon Apr 25 10:23:37 2005 Subject: gpg --list-only argument Message-ID: <315711438F5C41BC85487D11@toughbook> Hi everybody, sorry for the wrong subject before - I repost my message with the proper subject this time. I am trying to get around the lacking feature of gpgme to tell me for which keys a message has been encrypted for. I am running gpg 1.4.0 on Debian unstable. I thought, that 'gpg --list-only filename' should give me all keys, a message was encrypted for. Unfortunately, this seems not to include my own keys. If a message is encrypted for several recipients, it lists all except my own keys. If its encrypted for myself only, it doesn't list anything at all. Do I miss something here? Can I somehow get ALL keys? TIA, Harry -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050425/f4539581/attachment.pgp From henkdebruijn at wanadoo.nl Mon Apr 25 11:53:16 2005 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Mon Apr 25 11:49:09 2005 Subject: Sign more than one uid Message-ID: <1123041056.20050425115316@wanadoo.nl> If you don't select a uid all user id's will be signed. Is it possible to select more than one uid for signing? TIA -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System version 3.0.9.18 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050425/de0376e3/attachment.pgp From patrick at mozilla-enigmail.org Mon Apr 25 11:58:00 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon Apr 25 11:55:15 2005 Subject: gpg --list-only argument In-Reply-To: <315711438F5C41BC85487D11__3480.22192852131$1114417545$gmane$org@toughbook> References: <315711438F5C41BC85487D11__3480.22192852131$1114417545$gmane$org@toughbook> Message-ID: harry_b@mm.st wrote: > Hi everybody, > > sorry for the wrong subject before - I repost my message with the proper > subject this time. > > I am trying to get around the lacking feature of gpgme to tell me for > which keys a message has been encrypted for. > > I am running gpg 1.4.0 on Debian unstable. > > I thought, that 'gpg --list-only filename' should give me all keys, a > message was encrypted for. Unfortunately, this seems not to include my > own keys. > > If a message is encrypted for several recipients, it lists all except my > own keys. If its encrypted for myself only, it doesn't list anything at > all. > > Do I miss something here? Can I somehow get ALL keys? "gpg --status-fd 1 --list-only filename" will do it -- and it even does it in an easily parseable way. -Patrick From siering at elpino.de Mon Apr 25 10:52:51 2005 From: siering at elpino.de (Stephan Siering) Date: Mon Apr 25 12:15:13 2005 Subject: making GPG portable In-Reply-To: <315711438F5C41BC85487D11@toughbook> Message-ID: <20050425085251.E6F22B8403C@bluesky.elpino.de> Hi Group ! As new user in GPG I have a question on portability with GPG. When using GPG on a workstation, it's easy to secure a file containing my passwords, keys, pin's and so on. But what, when I am not at home ? I want to store all needed files on an USB device to en- and decrypt secret files. So I made a configuration which works on an USB devive without installing anything on the Windows engine. Here my question: Is it a good idea to do this ? If the USB device is lost, only the pass-phrase secures the crypted file. Is the risk too high, or will this secure enough ? Has anybody a better idea for that usage ? Thank you Stephan From wk at g10code.com Thu Apr 21 17:23:26 2005 From: wk at g10code.com (Werner Koch) Date: Mon Apr 25 12:15:49 2005 Subject: [Announce] GnuPG 1.9.16 (S/MIME) released Message-ID: <87d5socfwx.fsf@wheatstone.g10code.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! We are pleased to announce the availability of GnuPG 1.9.16; the development branch of GnuPG featuring the S/MIME protocol. GnuPG 1.9 is the development version of GnuPG; it is based on some old GnuPG 1.3 code and the previous NewPG package. It will eventually lead to a GnuPG 2.0 release. Note that GnuPG 1.4 and 1.9 are not yet in sync and thus features and bug fixes done in 1.4 are not available in 1.9. *Please keep on using 1.4.x for OpenPGP*; 1.9.x and 1.4.x may be installed simultaneously. You should use GnuPG 1.9 if you want to use the gpg-agent or gpgsm (the S/MIME variant of gpg). The gpg-agent is also helpful when using the stable gpg version 1.4 (as well as the old 1.2 series). This is mainly a bug fix release but comes with some new features as well: * gpg-agent does now support the ssh-agent protocol and thus allows to use the pinentry as well as the OpenPGP smartcard with ssh. * New tool gpg-connect-agent as a general client for the gpg-agent. * New tool symcryptrun as a wrapper for certain encryption tools. * The gpg tool is not anymore build by default because those gpg versions available in the gnupg 1.4 series are far more matured. Please get it from the mirrors as listed at http://www.gnupg.org/download/mirrors.html or direct from ftp.gnupg.org: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.16.tar.bz2 (1667k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.16.tar.bz2.sig or as a patch against the previous release: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.15-1.9.16.diff.bz2 (108k) You will also need to get a new libksba (the X.509 and CMS parser): ftp://ftp.gnupg.org/gcrypt/alpha/libksba/libksba-0.9.11.tar.bz2 (443k) ftp://ftp.gnupg.org/gcrypt/alpha/libksba/libksba-0.9.11.tar.bz2.sig a patch is also available: ftp://ftp.gnupg.org/gcrypt/alpha/libksba/libksba-0.9.10-0.9.11.diff.bz2 (112k) GnuPG 1.9 makes use of a separate tool for CRL checking, this is called the Dirmngr. We have also released a new version of it and we suggest to update to that release: ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-0.9.2.tar.bz2 (463k) ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-0.9.2.tar.bz2.sig as usual we also provide a patch: ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-0.9.1-0.9.2.diff.bz2 (16k) SHA-1 checksums for the above files are: 7e470baf9a91221342af5aad57319329bf983a3a gnupg-1.9.16.tar.bz2 5a296cd8788f7fe2495bc014f8e19a4d2a000dc8 gnupg-1.9.15-1.9.16.diff.bz2 0dc8a41b3165404ccdb0e4a3701412f7cc625b11 libksba-0.9.11.tar.bz2 9805a08fd74b64c23262d31b741b12b0a59f04b2 libksba-0.9.10-0.9.11.diff.bz2 0e8377deb78408b9081681ea1437667cc3c5b77e dirmngr-0.9.2.tar.bz2 5f02bd2a9c5ac9214e0412d48d8d5342e230a2b0 dirmngr-0.9.1-0.9.2.diff.bz2 Happy hacking, Werner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iEYEARECAAYFAkJnxRgACgkQYHhOlAEKV+3RUgCeKeZvWsVNJDK5Mm5GKRmTzPjL /sMAoLmKF4+61cYHk/NxKUlmqUxSIq2T =yxLM -----END PGP SIGNATURE----- -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From martin.blais at gmail.com Sat Apr 23 22:16:12 2005 From: martin.blais at gmail.com (Martin Blais) Date: Mon Apr 25 12:15:54 2005 Subject: i-name XRI to GPG identity Message-ID: <8393fff0504231316f14f107@mail.gmail.com> hi i have been searching the web for information about creating GnuPG identities mapped to a specific i-name rather than an email address. i can't find anything about it. i'm curious to see if anyone has made work on this issue. context: my understanding of Identity Commons / XDI (OASIS) / 2idi (com) is that they are attempting to establish a digital identity framework by creating open standards and prototype implementations for the [IMO unavoidable] establishment of an information brokerage infrastructure. part of this exercise is the difficult task of creating a global registry of identities, analog to DNS/ICANN, with a mechanism to lookup specific info about a user (with consent/encryption/trust, etc.) by looking up information brokers (i-brokers) wihch would manage and serve this information. their infrastructure defines protocols and is open, so that anyone could implement any kind of information brokerage services. in this context, i-names specify a unique identity, more or less like a domain name. for example, from an i-name, you could get someone's email address, with their permission (actually, this is the first example application from 2idi, the first registrar to implement this system, a contact page). anyway, the first that comes to mind as a pgp user is for a brokerage service to serve public keys from i-names. (most people tend to think of single-sign-on as the prototypical application, but it can do anything, the protocol is open and made generic on purpose). to be very concrete, someone wanting to lookup my pgp key could query for "=martin.blais/+pgpkey" to find the i-number of a i-broker that serves my public key resource and then automatically fetch the key from the system (this of course would be implemented by whatever software needs it). i-names are not meant to change as long as they're in use by a specific individual (although, like email addresses, they can be transferred and reused). this means, for example, that someone wanting to reach me over the next 50 years could potentially look up my current email address, or my postal address, by using my i-name (if i decided to hvae broker that makes that public). my address can change, my email can change, but my i-name won't. i'm sure you get the idea. 1. so, if this takes off (if _does_ look to me like the best, most open effort to do this to date), being able to tie an i-name to an GPG identity seems to me like a better option than tying it to an email address. (although, now that i think of it more, i suppose that the i-name/XRI could point to a unique PGP key identity (i.e. the 0x_____ number), and then indirectly use the pgp keyservers to lookup the key using that number.) 2. one kind of very important bit of information that could be brokered is "permissions" to do something or other (e.g. login). this could be easily implemented using pgp signatures to establish a trusted network. seems like you guys should be involved in this idcommons thing... i just tried creating a new identity with gnupg-1.4.1 and i couldn't not get away with entering an i-name instead of an email address. i suppose that it wouldn't be hard to change the accepted format of the identifier (i.e. do not require @ character in email, accept the XRI char syntax). any ideas? p.s. please Cc replies, i'm not permanently on the list From matthijs at cacholong.nl Sun Apr 24 22:11:01 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Mon Apr 25 12:15:57 2005 Subject: gpgme list secret keys Message-ID: <426BFD55.70200@cacholong.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm trying to write a plugin for gaim to get GPG encryption support in gaim. Now i came across the following. I want the user to choose their secret key. How can i do this ? I have the following piece of code and read the documentation several times but it seems impossible (i think i misread the documentation) if (!err) { err = gpgme_op_keylist_start(ctx, NULL, 0); while (!err) { uid = key->uids; subkey = key->subkeys; printf("%s: %s <%s>\n", subkey->keyid, uid->name, uid->email); err = gpgme_op_keylist_next(ctx, &key); } gpgme_release(ctx); } Problem with this code is that i don't have a "key" at that moment available. So i have to do something else.. but how can i do that ? I hope you can help me. Matthijs Mohlmann PS: i'm off the list so please CC me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCa/1V2n1ROIkXqbARAlCKAJ9bQlpo1Im1jPmhLNfFjIfx3xPfNACfQcf+ Di+jRJhx6QT8c9jKuwgVqKg= =XwUN -----END PGP SIGNATURE----- From wren at cacert.org Mon Apr 25 13:15:17 2005 From: wren at cacert.org (J. Wren Hunt) Date: Mon Apr 25 13:11:55 2005 Subject: gpgme list secret keys In-Reply-To: <426BFD55.70200@cacholong.nl> References: <426BFD55.70200@cacholong.nl> Message-ID: <426CD145.4060600@cacert.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Matthijs Mohlmann wrote: > Hi, > > I'm trying to write a plugin for gaim to get GPG encryption support in > gaim. Now i came across the following. I want the user to choose their > secret key. How can i do this ? I have the following piece of code and > read the documentation several times but it seems impossible (i think i > misread the documentation) > > if (!err) { > err = gpgme_op_keylist_start(ctx, NULL, 0); > while (!err) { > uid = key->uids; > subkey = key->subkeys; > printf("%s: %s <%s>\n", subkey->keyid, uid->name, uid->email); > err = gpgme_op_keylist_next(ctx, &key); > } > gpgme_release(ctx); > } > > Problem with this code is that i don't have a "key" at that moment > available. So i have to do something else.. but how can i do that ? > > I hope you can help me. > > Matthijs Mohlmann > > PS: i'm off the list so please CC me. You may be interested in the OpenPGP code logic used by the Psi Jabber client at: psi.affinix.com - -- Cheers! J. Wren Hunt Cambridge, MA. USA - ------------ "The difference between the right word and the almost right word is the difference between lightning and the lightning bug." -- Mark Twain +------------------------------------------------------------------+ | v-card http://wrenhunt.homelinux.org/data/wren.vcf | | x.509 http://wrenhunt.homelinux.org/data/thawte_wren_hunt.cer | | OpenPGP ADF5 1432 A59E 8F4D 4AE7 4DFE 03FA 91E1 4A24 D6F4 | +------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCbNFFA/qR4Uok1vQRA3ioAKC1dbgabu9Q9OEjS44CRWT3X5oPRACg1qzw sTIb7+/oGhbxvcdHoUQezA4= =MZL1 -----END PGP SIGNATURE----- From wk at gnupg.org Mon Apr 25 15:01:23 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Apr 25 15:00:58 2005 Subject: gpgme list secret keys In-Reply-To: <426BFD55.70200@cacholong.nl> (Matthijs Mohlmann's message of "Sun, 24 Apr 2005 22:11:01 +0200") References: <426BFD55.70200@cacholong.nl> Message-ID: <874qdv57to.fsf@wheatstone.g10code.de> On Sun, 24 Apr 2005 22:11:01 +0200, Matthijs Mohlmann said: > err = gpgme_op_keylist_start(ctx, NULL, 0); Replace the 0 by a 1 to list only keys where a secret key is available. > while (!err) { > uid = key->uids; > subkey = key->subkeys; > printf("%s: %s <%s>\n", subkey->keyid, uid->name, uid->email); > err = gpgme_op_keylist_next(ctx, &key); > } That should be: while (!err && !(err = gpgme_op_keylist_next(ctx, &key))) { uid = key->uids; subkey = key->subkeys; printf("%s: %s <%s>\n", subkey->keyid, uid->name, uid->email); gpgme_key_unref (key); } Salam-Shalom, Werner From wk at gnupg.org Mon Apr 25 15:02:59 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Apr 25 15:01:08 2005 Subject: gpgme list secret keys In-Reply-To: <426BFD55.70200@cacholong.nl> (Matthijs Mohlmann's message of "Sun, 24 Apr 2005 22:11:01 +0200") References: <426BFD55.70200@cacholong.nl> Message-ID: <87zmvn3t6k.fsf@wheatstone.g10code.de> On Sun, 24 Apr 2005 22:11:01 +0200, Matthijs Mohlmann said: > I hope you can help me. BTW, there are a lot of examples in the tests/ directory. For example tests/gpgsm/t-keylist.c Shalom-Salam, Werner From wk at gnupg.org Mon Apr 25 15:08:16 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Apr 25 15:05:55 2005 Subject: i-name XRI to GPG identity In-Reply-To: <8393fff0504231316f14f107@mail.gmail.com> (Martin Blais's message of "Sat, 23 Apr 2005 16:16:12 -0400") References: <8393fff0504231316f14f107@mail.gmail.com> Message-ID: <87r7gz3sxr.fsf@wheatstone.g10code.de> On Sat, 23 Apr 2005 16:16:12 -0400, Martin Blais said: > i have been searching the web for information about creating GnuPG > identities mapped to a specific i-name rather than an email address. > i can't find anything about it. Although not having read the entire mail, you probably want to use the option --allow-freeform-uid Disable all checks on the form of the user ID while generating a new one. This option should only be used in very special environments as it does not ensure the de-facto standard format of user IDs. Salam-Shalom, Werner From dshaw at jabberwocky.com Mon Apr 25 16:23:35 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Apr 25 16:20:05 2005 Subject: Sign more than one uid In-Reply-To: <1123041056.20050425115316@wanadoo.nl> References: <1123041056.20050425115316@wanadoo.nl> Message-ID: <20050425142335.GA18575@jabberwocky.com> On Mon, Apr 25, 2005 at 11:53:16AM +0200, Henk M. de Bruijn wrote: > If you don't select a uid all user id's will be signed. Is it possible > to select more than one uid for signing? Sure, just select all the user IDs you want to sign, then "sign". It's the same as signing one user ID, except there are more than one. David From johanw at vulcan.xs4all.nl Mon Apr 25 20:33:44 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Apr 25 20:28:32 2005 Subject: Rescue secring In-Reply-To: <426956B4.2020305@infinito.it> Message-ID: <200504251833.UAA00251@vulcan.xs4all.nl> Archimedes wrote: >Ever heard of differential and incremental backups? Yes. They're a pain when you want to get back a single file, which is usually the case when I need a backup. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From hhhobbit7 at netscape.net Mon Apr 25 21:32:15 2005 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Mon Apr 25 21:28:49 2005 Subject: Cant create directory error Message-ID: <477FD797.5B92526C.0307202B@netscape.net> >Message: 6 >Date: Sun, 24 Apr 2005 16:37:14 +1000 >From: Peter Jones >Subject: Re: Cant create directory error >To: gnupg-users@gnupg.org >Message-ID: <200504241637.14279.pete@petesplace.id.au> >Content-Type: text/plain; charset="iso-8859-1" > >On Thu, 21 Apr 2005 03:26 am, Carlos M wrote: >> Hi there im having problems trying to decrypt a message using PHP or >> Perl. When i run the perl script directly from the linux bash it works >> just fine, but when i run the script from the browser it doesnt work. >> Checkin the apache logs it says: >> >> Name "main::passphrase" used only once: possible typo at >> /usr/local/apache/cgi-bin/decrypt.pl line 10. >> gpg: fatal: ~/.gnupg: can't create directory: No such file or directory >> >> I create the keys using root as user. I got the .gnupg directory on >> /root with the correct keys in there. I have the correct keys in my >> local repository. I dont know what im doing wrong. > >I cannot see any other responses [possibly because the Reply-to on your >message doesn't seem to be configured correctly??] to this so I'll give >it a shot. > >It is almost certain that apache is not running as root (and if it *is*, >it is a very bad security risk!) > >Chances are it will be running as either user "apache", or as "nobody"; >you will need to check your httpd.conf file to be sure. Apache, >therefore, calls your cgi script as this user, and your script calls gpg >as this user. gpg then tries to create ~/.gnupg -- and either the user >home directory doesn't exist, or (for various security reasons) apache >does not have wtrite access to it. > >Best bet is to create a .gnupg file somewhere apache can find it, then in >your script use "gpg --options /path/to/.gnupg" to specify the correct >options file for it to use... > >(Additionally I'd investigate that main::passphrase warning if I were >you! ;-)) I don't know whether he has Apache in a default config on a 'nix box or what. I am assuming he has some version of 'nix with the word "root" in the lines. If it is a default config, then he has an Apache user: Password Entries: ================= apache:x:48:48:Apache:/var/www:/sbin/nologin ... hhhobbit:x:500:500:Henry Hertz Hobbit:/home/hhhobbit:/bin/bash Group Entries: ============== apache:x:48: ... hhhobbit:x:500: He can create the .gnupg folder as an ordinary user or as root, but in any case he will have to move the folder (eventually) to /var/www and chown and chgrp it to apache. On Linux: cd # to where your .gnupg was created cp -rp .gnupg /var/www cd /var/www chown -R apache:apache .gnupg chmod 700 .gnupg cd .gnupg chmod 400 * There is one tricky problem; apache has the /sbin/nologin shell which means apache cannot login, but I assume that is easily handled by the way it is started up, and the fact that you are forking off another process off of something already running. Ciao Henry Hertz Hobbit -- Key Name: "Henry Hertz Hobbit" pub 1024D/E1FA6C62 2005-04-11 [expires: 2006-04-11] Key fingerprint = ACA0 B65B E20A 552E DFE2 EE1D 75B9 D818 E1FA 6C62 __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From list at omicron-persei-8.net Tue Apr 26 02:22:16 2005 From: list at omicron-persei-8.net (Tyler Retzlaff) Date: Tue Apr 26 02:18:29 2005 Subject: gpgme encrypting a buffer at a time (streaming) Message-ID: <20050426002216.GA9066@calculon.omicron-persei-8.net> I previously saw a post that indicated encrypting a buffer at a time was possible in the case the producer of the data being encrypted was streaming. The algorithm went a little something like this: while ((n_read = getdata( buffer )) > 0) { write_data_to_gpgme (buffer); enc = get_encrypted_data_from_gpgme (); do_something_with_encrypted_data (enc); } My producer is a source of memory (a stream buffer infact). So I tried to do the following with no success. gpgme_data_new(&plain); gpgme_data_new(&cipher); gpgme_encrypt_op_start(ctx, keys, plain, cipher); while ((wbytes = getdata(srcbuffer)) > 0) { gpgme_data_write(plain, srcbuffer, wbytes); while (gpgme_data_read(cipher, dstbuffer, wbytes) != GPGME_EOF) { gpgme_data_read(cipher, dstbuffer, dstbuf_sz); /* do something with dst buffer */ } } I realize this isn't how it should be done, does anyone have an example of how to do this without using the fd or file stream gpgme interface? I'm dealing with strictly memory based producers and consumers and at no time want anything in a file. Example code would be greatly appreciated! Thanks From pete at petesplace.id.au Tue Apr 26 10:53:28 2005 From: pete at petesplace.id.au (Peter Jones) Date: Tue Apr 26 10:49:28 2005 Subject: Cant create directory error In-Reply-To: <477FD797.5B92526C.0307202B@netscape.net> References: <477FD797.5B92526C.0307202B@netscape.net> Message-ID: <200504261853.29026.pete@petesplace.id.au> On Tue, 26 Apr 2005 05:32 am, Henry Hertz Hobbit wrote: > I don't know whether he has Apache in a default config on a 'nix box > or what. I am assuming he has some version of 'nix with the word > "root" in the lines. If it is a default config, then he has an Apache > user: Indeed. I seem to recall an early install using "nobody" -- but maybe I'm wrong... And yes, I too assumed a *nix environment from the mention of "root". In a Windows (NT) environment, Apache runs as a "local system account" -- presumably its own account -- and will not have access to anything specific to another user's account (ie, "My Documents" or whatever) and, depending on LAN configuration, may not have access to network drives. It can, of course, be configured to login under any account name you like... Pete. From brett at eecs.tufts.edu Tue Apr 26 15:27:20 2005 From: brett at eecs.tufts.edu (brett) Date: Tue Apr 26 15:23:14 2005 Subject: Apache/PHP - 'loading shared library error'??? Message-ID: Hi, I'm trying to get gpg to run from PHP and have run into a problem i can't solve. I can use proc_open() to execute other commands, but not gpg. It wont even run: /usr/bin/gpg --version Grrrr... When i do run that, the stderr pipe shows me the following message: /usr/bin/gpg: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied Can anyone tell me what that means? Also, the process exit status is '127'. I looked but can't find any explanation of that either (though its a php code i imagine). Thanks in advance, -brett Here's the php code i used: function gpgVerify() { $gpgPath = '/usr/bin/gpg'; if(!is_executable($gpgPath)) { trigger_error("gpgVerify::gpg is not executable", E_USER_ERROR); die(); } else { // first we'll set up a pipe for gpg to write STDOUT to $descriptorSpec = array( 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $command = $gpgPath . " --version"; $gpgProcess = proc_open( $command, $descriptorSpec, $pipes); if(is_resource($gpgProcess)) { $gpgOutput = ''; while(!feof($pipes[1])) { $gpgOutput .= fgets($pipes[1], 1024); } echo '
pipe[1] =

'.$gpgOutput; fclose($pipes[1]); $stdErrOut = ''; while(!feof($pipes[2])) { $stdErrOut .= fgets($pipes[2], 1024); } echo '

pipe[2] =

'.$stdErrOut; fclose($pipes[2]); // close the $gpgProcess $processExitStatus = proc_close($gpgProcess); echo '

$processExitStatus:

'.$processExitStatus; if(!ereg('^gpg ', $gpgOutput)) { trigger_error("gpg executable is not GnuPG.", E_USER_ERROR); die(); } unset( $gpgPath, $gpgOutput, $descriptorSpec, $command, $gpgProcess, $pipes, $processExitStatus, $gpgErrorMessage ); } else { trigger_error("gpgVerify::proc_open failed.", E_USER_ERROR); die(); } } return true; } From atom at smasher.org Tue Apr 26 16:05:48 2005 From: atom at smasher.org (Atom Smasher) Date: Tue Apr 26 16:01:45 2005 Subject: Apache/PHP - 'loading shared library error'??? In-Reply-To: References: Message-ID: <20050426140552.40008.qmail@smasher.org> On Tue, 26 Apr 2005, brett wrote: > I'm trying to get gpg to run from PHP and have run into a problem i > can't solve. I can use proc_open() to execute other commands, but not > gpg. ============== try this - http://business-php.com/opensource/gpg_encrypt/ -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We got around to the subject of war again and I said that, contrary to his attitude, I did not think that the common people are very thankful for leaders who bring them war and destruction. "Why, of course, the people don't want war," [he] shrugged. "Why would some poor slob on a farm want to risk his life in a war when the best that he can get out of it is to come back to his farm in one piece. Naturally, the common people don't want war; neither in Russia nor in England nor in America, nor for that matter in Germany. That is understood. But, after all, it is the leaders of the country who determine the policy and it is always a simple matter to drag the people along, whether it is a democracy or a fascist dictatorship or a Parliament or a Communist dictatorship." "There is one difference," I pointed out. "In a democracy the people have some say in the matter through their elected representatives, and in the United States only Congress can declare wars." "Oh, that is all well and good, but, voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same way in any country." -- conversation on April 18, 1946 between Hermann Goering (Nazi Reichsmarshall and Luftwaffe-Chief) and Gustave Gilbert, a psychologist and journalist who met regularly with Goering during the Nuremberg trails. These conversations were published in the "Nuremberg Diary" in 1947 From mike.salehi at kodak.com Tue Apr 26 16:32:52 2005 From: mike.salehi at kodak.com (mike.salehi@kodak.com) Date: Tue Apr 26 17:55:37 2005 Subject: how long the key is Message-ID: I always thought the length of key and its subordinate is the same but now I got this pub 1024D/17EEDBD7 1999-06-09 xxxxx xxxxx xxx xxxx sub 4096g/E10A5B9F 1999-06-09 so is it 1024 or 4096 ============================================================================================================== Mike Salehi CISSP Mike.Salehi@kodak.com (585)724-5445 From swright at physics.adelaide.edu.au Tue Apr 26 18:23:18 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Tue Apr 26 18:20:58 2005 Subject: how long the key is In-Reply-To: References: Message-ID: <20050426162318.GI4863@anl.gov> G'day Mike, * mike.salehi@kodak.com [050426 11:04]: > I always thought the length of key and its subordinate is the same but now > I got this > pub 1024D/17EEDBD7 1999-06-09 xxxxx xxxxx xxx xxxx > sub 4096g/E10A5B9F 1999-06-09 > > so is it 1024 or 4096 The primary key is a signing DSA type 1024 bits long, the encryption ElGamal subkey is 4096 bits long. As they are doing two different jobs the lengths need not be the same. Have a look at http://www.gnupg.org/gph/en/manual.html#AEN26 for a brief comment on the lengths. I'm sure there are other more elucidating documents available if you look around a bit. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: not available Url : /pipermail/attachments/20050426/bdb16ecc/attachment.pgp From jdbeyer at exit109.com Tue Apr 26 18:15:52 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Tue Apr 26 18:46:48 2005 Subject: how long the key is In-Reply-To: References: Message-ID: <426E6938.1050700@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mike.salehi@kodak.com wrote: > I always thought the length of key and its subordinate is the same but now > I got this > pub 1024D/17EEDBD7 1999-06-09 xxxxx xxxxx xxx xxxx > sub 4096g/E10A5B9F 1999-06-09 > > so is it 1024 or 4096 Yes. Your 17EEDBD7 key is 1024 bits and your E10A5B9F key is 4096 bits. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 12:10:00 up 2 days, 5:47, 3 users, load average: 4.09, 4.11, 4.14 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCbmk4Ptu2XpovyZoRAlzCAKCS1RJ+fOkfDtxYcUIRpsvmYV4phgCaA8ai tV9Iqlm4wNAxGNDPoha5YR0= =nx+w -----END PGP SIGNATURE----- From brett at eecs.tufts.edu Wed Apr 27 04:24:13 2005 From: brett at eecs.tufts.edu (brett) Date: Wed Apr 27 04:20:13 2005 Subject: gpg and SELinux Message-ID: AH, so i've determined that the reason i can't run gpg from my php script is because of SELinux. The evidence was in /var/log/messages and follows. Has anyone gotten around this? TIA, Brett /var/log/messages says: Apr 26 22:20:53 XXXXXXXXX kernel: audit(1114568453.515:0): avc: denied { execmod } for pid=8035 comm=gpg path=/usr/bin/gpg dev=dm-0 ino=4972274 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:bin_t tclass=file Apr 26 22:20:53 XXXXXXXXX kernel: audit(1114568453.515:0): avc: denied { execmod } for pid=8035 comm=gpg path=/usr/bin/gpg dev=dm-0 ino=4972274 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:bin_t tclass=file From matthijs at cacholong.nl Wed Apr 27 10:06:15 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Wed Apr 27 10:40:49 2005 Subject: gpgme list secret keys In-Reply-To: References: <426BFD55.70200@cacholong.nl> Message-ID: <426F47F7.6010309@cacholong.nl> harry_b@mm.st wrote: > Hi Matthijs, > > I am also fuzzing around with gpgme and its quite troublesome at some > points. > If you find a solution for this issue I'd like to know how you solved > it. :-) > > In case you'd let me know how I'd greatly appreciate it!! > > TIA & cheers! > Harry > I found out :) (list is a GList *) Here a code example how i use it: // Gpgme vars gpgme_ctx_t ctx; gpgme_error_t err = gpgme_new(&ctx); gpgme_key_t key; if (!err) { err = gpgme_op_keylist_start(ctx, NULL, secret); while (!(err = gpgme_op_keylist_next(ctx, &key))) { if (key->subkeys->secret) { // Add only the public keys to the list gaim_debug(GAIM_DEBUG_MISC, "gaim-gnupg", "Something going wrong!\n"); list = g_list_append(list, key->uids->uid); list = g_list_append(list, key->subkeys->keyid); } else { // Add only the secret keys to the list gaim_debug(GAIM_DEBUG_MISC, "gaim-gnupg", "%s: %s\n", key->subkeys->keyid, key->uids->uid); list = g_list_append(list, key->uids->uid); list = g_list_append(list, key->subkeys->keyid); } } gpgme_release(ctx); > > --On Sunday, April 24, 2005 22:11:01 +0200 Matthijs Mohlmann > wrote: > >> I'm trying to write a plugin for gaim to get GPG encryption support in >> gaim. Now i came across the following. I want the user to choose their >> secret key. How can i do this ? I have the following piece of code and >> read the documentation several times but it seems impossible (i think i >> misread the documentation) >> >> if (!err) { >> err = gpgme_op_keylist_start(ctx, NULL, 0); >> while (!err) { >> uid = key->uids; >> subkey = key->subkeys; >> printf("%s: %s <%s>\n", subkey->keyid, uid->name, uid->email); >> err = gpgme_op_keylist_next(ctx, &key); >> } >> gpgme_release(ctx); >> } >> >> Problem with this code is that i don't have a "key" at that moment >> available. So i have to do something else.. but how can i do that ? >> >> I hope you can help me. I hope it will work for you :) Regards, Matthijs Mohlmann -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050427/ac867111/signature.pgp From carlosandres01 at gmail.com Wed Apr 27 18:41:39 2005 From: carlosandres01 at gmail.com (Carlos M) Date: Wed Apr 27 18:38:01 2005 Subject: Cant create directory error In-Reply-To: <200504261853.29026.pete@petesplace.id.au> References: <477FD797.5B92526C.0307202B@netscape.net> <200504261853.29026.pete@petesplace.id.au> Message-ID: Hi guys thanks a lot for your answers i solve the problem already, actually all of you were right, i was running Apache as www user, so i configure the script permisions enabling read, write and execution for www. Additionally on my script, i put the output path of the decrypt file on a directory that www has write and read permisions and all works just fine. Thanks a lot to all of you. Carlos Andres Medina On 4/26/05, Peter Jones wrote: > On Tue, 26 Apr 2005 05:32 am, Henry Hertz Hobbit wrote: > > I don't know whether he has Apache in a default config on a 'nix box > > or what. I am assuming he has some version of 'nix with the word > > "root" in the lines. If it is a default config, then he has an Apache > > user: > > Indeed. I seem to recall an early install using "nobody" -- but maybe I'm > wrong... > > And yes, I too assumed a *nix environment from the mention of "root". In > a Windows (NT) environment, Apache runs as a "local system account" -- > presumably its own account -- and will not have access to anything > specific to another user's account (ie, "My Documents" or whatever) and, > depending on LAN configuration, may not have access to network drives. > It can, of course, be configured to login under any account name you > like... > > Pete. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From clint at robotic.com Wed Apr 27 20:25:14 2005 From: clint at robotic.com (Clint Laskowski) Date: Wed Apr 27 21:14:44 2005 Subject: Too Many Keys Message-ID: <426FD90A.7070907@robotic.com> I'm new to GPG. Over the years I've toyed with PGP, etc. Now, I'm trying to integrate keys I've created in the past into GPG. Should I do that? Or should I just start with a fresh new set of keys? If I do integrate them into my GPG install, what's the best way? Should I re-sign them with my new GPG set? If I don't integrate them, should I revoke the old ones? Any pointers will be appreciated. -- Clint My new public key block: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (MingW32) - WinPT 0.9.92 mQGiBEJvsWkRBADH/kh5BPpsJQstET2jCB+rGcDcPveipunhadtW0WdNRyKdSaAm g7PDCVpzYmNx87wio3sigDFaiDDe2TwebBUCffR8f8AzlrbrZzckcBmMFoQdTRno Fu7kLq3I9E3tGgbxpK0Y/gPiNck7I2qkCLwGbHop8oozSx7smssFSvjmHwCgicpu DD8QgVY08nx92A1Y7KXkOM8D/jvDAz5Pq6REW7tr3ref/65gg2a3MHCXBt1czGKQ ZmiQX2gtPakY+vXvWT3wOcM7zK0aiJ/L8nWV7CiJMOTIuPDVDHOI/HmXAe1x/Ufc 4AvW1n7KGX8TSMYkEjw2OLyLsxUcoHsnDJvtuHDesX4Be28rcb3SQ77k16ySwabC XUkdA/sG+stUQoL8SWfLHEZDm+W2WsL7oX7bWUaJndlriOLdJXk2UhEx6erJV9Ev WQwnWYdKKygU6uJC0rgQjTZ2KTB1ReTckBKHQlpfc2jb/Y3lBjkglpjlxzvqgp1d HOLTXYn/epLh8crTCVngxT8/J3dJ2CQ5FZ+rDrK5XL09GjjF67QlQ2xpbnRvbiBM YXNrb3dza2kgPGNsaW50QHJvYm90aWMuY29tPohbBBMRAgAbBQJCb7FpBgsJCAcD AgMVAgMDFgIBAh4BAheAAAoJEDyy6NK7F2W0asUAoIJoql1hNVaIkJsMcIuEa39/ M0b6AJ9lDmwtDfmcRkcuzx4IZCzligs6QrkCDQRCb7GOEAgAr0DTAyldGn5kPa5o QHTdfSZhK0hIwsVHCylWauMuTJswqjBaogvcC/D1w3mqtaO7mBuKaZ8YidbuSjh6 S62t7rPn40G988Sk3VFQX8RUnX/l0Wnj1/qpXnh91zEiuK8/uHGM1K1eazJ66wr3 9JH3S3kQj4GdFI6TbYrcRhs7QrnIqmRjdywippYIs+Jfnbli44Wgap1DHx67zdSI nwNsavAriRRYa6hQmA9wZxCGmxI6RF8pabFGdDW0gPKBk8dweQKD//gjPPNMFunX MtC0EaBLfejG5J0S33FgFnTTTLu4Gg2tJX18xrc65vwpVvu4T4TORpXcv2Wopsov 3iSENwADBQf/eyq1xoBYpjkOgZ/D/p4DLYnZoy3UdtxTdPL8P+SCDYRujBRnKGpe L/RFYK7Ha+EP2k6MaZeb79/9EMZ5846OfID+jb0URGgmT47eryGAWDgSrwVz7LlN yMXAvuDYaoJXhS0iRwG28axVuaqZg8BQIe8i2sDol2a0ILXpsgQO+ahpM+9c9Btc OaAsW0WwrMubrWfhkE5zkpWc/AWV2b3crza+Nj5IgZs4+yOBP70L7plNu8MqoyRJ x1UHZTMm/LjIN6cT4BeDmVgQHCIgiabvcfaRvBx/J05qf0xNqKbWj22wilSE53k3 yuZGTll11JIXNVHwJA9H3qH434N7ByguE4hGBBgRAgAGBQJCb7GOAAoJEDyy6NK7 F2W043gAniymVWRAZjH56I9MA/tSy6bVtywzAJ48ARIQguWJ9g2SkW/11yAb6y6l Jw== =Y94+ -----END PGP PUBLIC KEY BLOCK----- From shavital at mac.com Wed Apr 27 23:03:00 2005 From: shavital at mac.com (Charly Avital) Date: Wed Apr 27 22:59:09 2005 Subject: Too Many Keys In-Reply-To: <426FD90A.7070907@robotic.com> References: <426FD90A.7070907@robotic.com> Message-ID: At 1:25 PM -0500 4/27/05, Clint Laskowski wrote: >I'm new to GPG. Over the years I've toyed with PGP, etc. Now, I'm trying >to integrate keys I've created in the past into GPG. Should I do that? >Or should I just start with a fresh new set of keys? I have found in the servers two keys that seem to belong to you: (1) Clinton Laskowski 1024 bit DSA key BB1765B4, created: 2005-04-27 (2) Clint Laskowski 1024 bit DSA key 373BDBAE, created: 2004-06-08 If those keys belong to you, if you can use them (you have the secret keys, you have the passphrase), and people with whom you correspond use them to encrypt to you, then you might consider keeping them, and keep on using them >If I do integrate >them into my GPG install, what's the best way? Export the key blocks (public and private) from your "previous" PGP software, and import them into your current gpg keyrings. Please remember that gpg will accept key blocks with Unix line-ends only. >Should I re-sign them >with my new GPG set? Yes, that would be advisable, in order to have a consistent trust set within your own keyrings. > If I don't integrate them, should I revoke the old >ones? Unless you have a compelling reason to revoke them (e.g. you suspect they have been compromised) you should keep them, provided, as already said, that you have the complete key pairs with their correspondent passphrase. > Any pointers will be appreciated. -- Clint Of course, it's up to you what to do, but I believe the above pointers are consistent with PGP usage. > >My new public key block: > >-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (MingW32) - WinPT 0.9.92 [...] If you intend to upload you new key to the keyservers, there is no need to post the keyblock in a message to the list. Welcome and best luck, Charly Mac OS X - gpg 1.4.1 - C91B085E From matthijs at cacholong.nl Wed Apr 27 23:59:31 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Wed Apr 27 23:55:27 2005 Subject: Encrypting with gnupg (gpgme library) Message-ID: <42700B43.5070307@cacholong.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm still busy with the gaim plugin. Still thanks for pointing me to the tests in the gpgme source directory, stupid that i didn't checked that one. Well i try to understand the: tests/gpg/t-encrypt.c test program. There are 2 calls: err = gpgme_get_key (ctx, "A0FF4590BB6122EDEF6E3C542D727CC768697734", &key[0], 0); err = gpgme_get_key (ctx, "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2", &key[1], 0); Here we get the public keys. But then suddenly there is an encrypt operation. Where o where do I need to set the secret key. When having multiple secret keys, I have to select the key. What i can get from the seahorse source is that it's added to the end of the key array. Should it be there and where can i find more documentation about that ? And then do the encrypt... err = gpgme_op_encrypt (ctx, key, GPGME_ENCRYPT_ALWAYS_TRUST, in, out); After doing this and do the following: result = gpgme_op_encrypt_result(ctx); if (result->invalid_recipients) { printf("Hmm invalid recipients!!\n"); } Nothing printed, that's ok. After that: #define BUF_SIZE 512 char buf[BUF_SIZE + 1]; int ret; ret = gpgme_data_seek(out, 0, SEEK_SET); printf("Print data: (gpgme_data_seek) %i\n", ret); Now i get a -1 while i expect a value >= 0 When i return the error value, i get: printf("Hmm what error: %s\n", gpgme_strerror(gpgme_error_from_errno(errno))); Hmm what error: Invalid argument Where did i make the fault ? Regards, Matthijs Mohlmann PS: Now i am subscribed to the list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCcAtD2n1ROIkXqbARAgMWAJ96+cDJf4TMc9CbgK+rvRbR92uyOwCgmknd alZShqDxTxJ6Dquwnw9eSro= =btPM -----END PGP SIGNATURE----- From kfitzner at excelcia.org Thu Apr 28 07:08:44 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Thu Apr 28 07:06:26 2005 Subject: GPGee v0.4 - GNU Privacy Guard Explorer Extension Message-ID: <42706FDC.3050303@excelcia.org> Version 0.4 of GPGee (GNU Privacy Guard Explorer Extension) is now available for download. Changes include: - Verify/decrypt support - Configurable encrypt-to-self - Updates to help - Misc bug fixes Information, support, and source & binary (installer) downloads at: http://gpgee.excelcia.org For those that haven't heard of it, GPGee is a Windows explorer shell extension DLL that adds GnuPG functionality to the explorer right-click context menu. Kurt Fitzner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050427/152d8339/signature.pgp From hawke at hawkesnest.net Thu Apr 28 07:11:20 2005 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Thu Apr 28 07:22:11 2005 Subject: GPG error code with successful signing operation Message-ID: When GPG is set to use the gpg-agent but the gpg-agent is not available (error message "gpg-agent is not available in this session" or "can't connect to `/path/to/non-existent-pipe': No such file or directory"), it produces a fatal error code of 2 even if the passphrase is successfully entered at the prompt. This strikes me as incorrect behavior. -Alex Mauer "hawke" -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050428/2c87b5ca/signature.pgp From matthijs at cacholong.nl Thu Apr 28 15:15:56 2005 From: matthijs at cacholong.nl (Matthijs Mohlmann) Date: Thu Apr 28 15:13:59 2005 Subject: Encrypting with gnupg (gpgme library) In-Reply-To: <42700B43.5070307@cacholong.nl> References: <42700B43.5070307@cacholong.nl> Message-ID: <4270E20C.4060605@cacholong.nl> Matthijs Mohlmann wrote: > Hi, > > I'm still busy with the gaim plugin. > > Still thanks for pointing me to the tests in the gpgme source directory, > stupid that i didn't checked that one. > > Well i try to understand the: tests/gpg/t-encrypt.c test program. > > There are 2 calls: > err = gpgme_get_key (ctx, "A0FF4590BB6122EDEF6E3C542D727CC768697734", > &key[0], 0); > err = gpgme_get_key (ctx, "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2", > &key[1], 0); > > Here we get the public keys. But then suddenly there is an encrypt > operation. Where o where do I need to set the secret key. When having > multiple secret keys, I have to select the key. What i can get from the > seahorse source is that it's added to the end of the key array. Should > it be there and where can i find more documentation about that ? > > And then do the encrypt... > err = gpgme_op_encrypt (ctx, key, GPGME_ENCRYPT_ALWAYS_TRUST, in, out); > > After doing this and do the following: > result = gpgme_op_encrypt_result(ctx); > if (result->invalid_recipients) { > printf("Hmm invalid recipients!!\n"); > } > Nothing printed, that's ok. > > After that: > #define BUF_SIZE 512 > char buf[BUF_SIZE + 1]; > int ret; > ret = gpgme_data_seek(out, 0, SEEK_SET); > printf("Print data: (gpgme_data_seek) %i\n", ret); > > Now i get a -1 while i expect a value >= 0 > > When i return the error value, i get: > printf("Hmm what error: %s\n", > gpgme_strerror(gpgme_error_from_errno(errno))); > > Hmm what error: Invalid argument > Finally found the problem. Compiling with: -D_FILE_OFFSET_BITS=64 did the trick. Thanks. > Where did i make the fault ? > > Regards, > > Matthijs Mohlmann > > PS: Now i am subscribed to the list. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050428/3c2ca686/signature.pgp From s_protsman at yahoo.com Thu Apr 28 18:59:23 2005 From: s_protsman at yahoo.com (Shawn Protsman) Date: Thu Apr 28 19:55:43 2005 Subject: gpg dependency issues (krb5 & klogd) Message-ID: <20050428165923.48499.qmail@web31409.mail.mud.yahoo.com> I am running SuSE Linux Enterprise 9 on an iSeries (Power5 chipset) server: > uname -a Linux l336649e_pub 2.6.5-7.139-pseries64 #1 SMP Fri Jan 14 15:41:33 UTC 2005 ppc64 ppc64 ppc64 GNU/Linux The installed version of gpg is 1.2.4. I would like to update the system to 1.4.x. gpg 1.4 was not available via yast so I downloaded gpg-1.4.0-4.src.rpm from the SuSE 9.3 tree. Upon rebuilding the RPM I get the following: > rpmbuild --rebuild gpg-1.4.0-4.src.rpm Installing gpg-1.4.0-4.src.rpm error: Failed build dependencies: klogd is needed by gpg-1.4.0-4 krb5 is needed by gpg-1.4.0-4 klogd is installed and in my path: > which klogd /sbin/klogd And I know I have the kerberos stuff installed: # rpm -qa | grep -i heimdal heimdal-lib-64bit-9-200407011606 heimdal-0.6.1rc3-55.9 heimdal-tools-0.6.1rc3-55.9 heimdal-lib-0.6.1rc3-55.9 heimdal-devel-0.6.1rc3-55.9 heimdal-devel-64bit-9-200501051734 So, I am a little confused as to why these dependency issues appear. Thoughts and suggestions are appreciated in getting this dependency issue with klogd and krb5 resolved. Regrards, Shawn __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dshaw at jabberwocky.com Thu Apr 28 20:09:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Apr 28 20:06:33 2005 Subject: gpg dependency issues (krb5 & klogd) In-Reply-To: <20050428165923.48499.qmail@web31409.mail.mud.yahoo.com> References: <20050428165923.48499.qmail@web31409.mail.mud.yahoo.com> Message-ID: <20050428180959.GD6018@jabberwocky.com> On Thu, Apr 28, 2005 at 09:59:23AM -0700, Shawn Protsman wrote: > I am running SuSE Linux Enterprise 9 on an iSeries > (Power5 chipset) server: > > > uname -a > > Linux l336649e_pub 2.6.5-7.139-pseries64 #1 SMP Fri > Jan 14 15:41:33 UTC > 2005 ppc64 ppc64 ppc64 GNU/Linux > > The installed version of gpg is 1.2.4. I would like > to update the system to 1.4.x. > > gpg 1.4 was not available via yast so I downloaded > gpg-1.4.0-4.src.rpm from the SuSE 9.3 tree. Upon > rebuilding the RPM I get the following: > > > rpmbuild --rebuild gpg-1.4.0-4.src.rpm > Installing gpg-1.4.0-4.src.rpm > error: Failed build dependencies: > klogd is needed by gpg-1.4.0-4 > krb5 is needed by gpg-1.4.0-4 This is a SuSE specific issue. GnuPG does not require Kerberos or the kernel logger daemon (which is a Linux specific thing anyway). I don't know why they have those marked as requirements in the RPM. David From s_protsman at yahoo.com Thu Apr 28 20:16:33 2005 From: s_protsman at yahoo.com (Shawn Protsman) Date: Thu Apr 28 20:12:51 2005 Subject: gpg dependency issues (krb5 & klogd) In-Reply-To: 6667 Message-ID: <20050428181634.56981.qmail@web31402.mail.mud.yahoo.com> --- David Shaw wrote: > On Thu, Apr 28, 2005 at 09:59:23AM -0700, Shawn > Protsman wrote: > > I am running SuSE Linux Enterprise 9 on an iSeries > > (Power5 chipset) server: > > > > > uname -a > > > > Linux l336649e_pub 2.6.5-7.139-pseries64 #1 SMP > Fri > > Jan 14 15:41:33 UTC > > 2005 ppc64 ppc64 ppc64 GNU/Linux > > > > The installed version of gpg is 1.2.4. I would > like > > to update the system to 1.4.x. > > > > gpg 1.4 was not available via yast so I downloaded > > gpg-1.4.0-4.src.rpm from the SuSE 9.3 tree. Upon > > rebuilding the RPM I get the following: > > > > > rpmbuild --rebuild gpg-1.4.0-4.src.rpm > > Installing gpg-1.4.0-4.src.rpm > > error: Failed build dependencies: > > klogd is needed by gpg-1.4.0-4 > > krb5 is needed by gpg-1.4.0-4 > > This is a SuSE specific issue. GnuPG does not > require Kerberos or the > kernel logger daemon (which is a Linux specific > thing anyway). I > don't know why they have those marked as > requirements in the RPM. > > David Hi David, I have considered removing those references from the "BuildRequires" section of the gpg.spec file but I'm somewhat hesitant. Thanks, Shawn __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From jeroen at lightyear.be Thu Apr 28 20:28:21 2005 From: jeroen at lightyear.be (Jeroen Budts) Date: Thu Apr 28 20:25:26 2005 Subject: GPGee v0.4 - GNU Privacy Guard Explorer Extension In-Reply-To: <42706FDC.3050303@excelcia.org> References: <42706FDC.3050303@excelcia.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kurt Fitzner wrote: > Version 0.4 of GPGee (GNU Privacy Guard Explorer Extension) is now > available for download. Changes include: > > - Verify/decrypt support > - Configurable encrypt-to-self > - Updates to help > - Misc bug fixes > > Information, support, and source & binary (installer) downloads at: > http://gpgee.excelcia.org > hmm it makes my explorer.exe crash :(... When i choose 'verify' on a .asc file explorer crashes. In the Event Log is the following: Faulting application explorer.exe, version 6.0.2800.1106, faulting module , version 0.0.0.0, fault address 0x00000000. When i try 'sign' (or one of the other options) it also gives an error message (although in this case explorer.exe doesn't crash) (oh: i did reboot my comp after installing it and did setup the correct paths ;)) Greetz, Jeroen - -- --- e-mail: jeroen@lightyear.be - jid: teranex@jabber.org --- blog: http://budts.be/weblog/ - cv: http://budts.be/jeroen/ --- projects: http://lightyear.be - pgp: 0x8B7B774A _____________________________________ NO SoftwarePatents in Europe! See an example: http://webshop.ffii.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCcStEH04wF4t7d0oRAs5EAKCAglWHZ1TKIW2XNE29VnxQ+O05SACfWhAe +uin1Go0x5AmlrTMkcgfPvA= =nkwS -----END PGP SIGNATURE----- From asj at ipa.net Tue Apr 26 04:23:44 2005 From: asj at ipa.net (Alan Jones) Date: Fri Apr 29 10:19:43 2005 Subject: GnuPG and MS Outlook Message-ID: <426DA630.1010107@ipa.net> I was wondering if anyone had a good, easy, and approperate solution for using GnuPG with MS Outlook 2003? I was hoping for an interface like Enigmail with Mozilla Thunderbird, but something that integrates with Outlook. So far it seems my only options are WinPT and always using text files (but that still seems to sometimes seems to cause problems and have e-mails that are not correctly signed). I would prefer to not use Outlook at all, but my organization is every much in to MS Exchange so Outlook is really the only option for corporate stuff. From sk.list at gmail.com Fri Apr 29 12:50:20 2005 From: sk.list at gmail.com (SK) Date: Fri Apr 29 14:33:23 2005 Subject: GnuPG and MS Outlook In-Reply-To: <426DA630.1010107@ipa.net> References: <426DA630.1010107@ipa.net> Message-ID: <6ca73f650504290350273f90af@mail.gmail.com> Maybe this writeup could help? http://trilug.org/~chrish/gpg-outlook.php On 4/26/05, Alan Jones wrote: > I was wondering if anyone had a good, easy, and approperate solution for > using GnuPG with MS Outlook 2003? > From wolfe at riseup.net Sat Apr 30 10:03:49 2005 From: wolfe at riseup.net (wolfe@riseup.net) Date: Sat Apr 30 11:05:40 2005 Subject: gpg --batch --no-tty --gen-key Message-ID: <4279.wolfe.1114848229.squirrel@mail.riseup.net> In using these commands within a unix bash script.... cat <<-___ | gpg --batch --no-tty --gen-key %echo Generating a standard key Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: $IDENT Name-Comment: $CALL Name-Email: $EMAIL Expire-Date: 0 Passphrase: $PASSPHRASE %pubring unode.pub %secring unode.sec # Do a commit here, so that we can later print "done" :-) %commit %echo done ___ gpg --no-tty --export-secret-keys --armor '$EMAIL' > $IDENT.sec.asc gpg --no-tty --export --armor '$EMAIL' > $IDENT.pub.asc .... I get the following errors: 1: gpg: WARNING: nothing exported 2: gpg --list-keys gets null Ok, so where am I going wrong? -- Wolfe http://wolfe.blogsite.org From gustabares at verizon.net Fri Apr 29 15:07:59 2005 From: gustabares at verizon.net (Gustavo Tabares) Date: Wed May 11 13:04:53 2005 Subject: GPG error generating keys Message-ID: <200504290907.59298.gustabares@verizon.net> Hi all, I'm having problems generating a key: [blackbetty:~].gat$ gpg --gen-key gpg (GnuPG) 1.2.7; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: cannot open `/dev/tty': Is a directory [blackbetty:~].gat$ Any ideas of what might be going on here? Thanks, Gus From bogus@does.not.exist.com Wed Apr 6 21:09:32 2005 From: bogus@does.not.exist.com () Date: Sat May 21 09:48:29 2005 Subject: No subject Message-ID: standard as it aught to be, or your setup is missing a DLL for charset conversion. There was a thread about charsets roughly half a year ago, have a look in the archives. http://lists.gnupg.org/pipermail/gnupg-users/ has one file per month, and http://lists.gnupg.org/pipermail/gnupg-users.mbox/ has a single mbox file of the whole archive. HTH //Samuel From bogus@does.not.exist.com Wed Apr 6 21:09:32 2005 From: bogus@does.not.exist.com () Date: Mon May 23 20:16:37 2005 Subject: No subject Message-ID: S-boxes would seem to be susceptible to this class of attack. I think that would include 3DES, Twofish, etc. from what I know of their design. =20 > 3) Would it be easier to write a fast implementation of some=20 > other cipher=20 > that is immune to this kind of timing attacks? Not for me ;-). > 4) What are the plans for GnuPG? I do not think this timing attack is a serious issue for GnuPG, since it does not work as an encrypting server that encrypts and transmits packets in real time. Obtaining timing data would require a compromise of the local machine. If an attacker can do that, why wouldn't the attacker just snag the pass phrase from the keyboard, or the plaintext? There may be some implications for GPG systems which automatically receive-encrypt-forward, such as GPGrelay. However, since a different block cipher key is used with each run in OpenPGP, obtaining enough accurate timing data might be impossible. In the attack, the same key is used to encrypt different plaintext repeatedly. I think the real implications of this attack are for VPNs or other "encrypting oracle" network services. But most site-to-site VPN devices use hardware ASICs these days, which would probably mean a constant-time implementation of AES and 3DES at least. Attacking software-based VPN clients may be a possibility, but again a local compromise of the machine is probably an easier attack to mount - even if it is running a hardened FreeBSD or something similar. Regards, Ryan